IPV6 DNS requests shows gateway address only

hardenakker · June 27, 2021, 10:16am

Hi,

First of all, i have successfully setup ipv4 + ipv6 in combination with docker/pihole. But there is one problem which i'd like to resolve with ipv6.

The problem
All clients on the network that doing DNS requests by ipv6 gets aggregated. This means that all DNS requests are made from one ipv6 address (the gateway address of the docker network bridge) as shown in the 'query log' of PiHole. In this case it's address is: fd00::2:0:0:1

My expectation is that each individual client is shown in the 'query log' just like it does with ipv4 addresses.

Server information

  IPv4 address for br-13dc11d92a9b: 172.22.0.1
  IPv6 address for br-13dc11d92a9b: fd00::2:0:0:1
  IPv4 address for enp4s0:          10.0.10.5
  IPv6 address for enp4s0:          2a02:a230:d105:10:be5f:f4ff:fee1:e590

Docker compose

  pihole:
    container_name: pihole
    image: pihole/pihole:v5.8.1
    ports:
      - '53:53/tcp'
      - '53:53/udp'
    networks:
      public.network:

networks:
  public.network:
    enable_ipv6: true
    driver: bridge
    ipam:
      config:
        - subnet: fd00::2:0:0:0/80

When i invoke nslookup from any client:

nslookup google.com 10.0.10.5   --> pihole query log shows ip of the client (so this is correct)

nslookup google.com 2a02:a230:d105:10:be5f:f4ff:fee1:e590 --> pihole query log shows ip of the gateway address (fd00::2:0:0:1, **incorrect**, i would like to see the client ip as well...)

Can this be fixed somehow? If you miss any information, let me know.

Bucking_Horn · June 27, 2021, 6:12pm

This is not related to Pi-hole:
It is Docker that is NATing traffic crossing the boundaries of its bridge network.
You should consider their documentation and support to address your issue as well.

For a start, you could try to use a different Docker network mode (e.g. host mode) to avoid NAT.

hardenakker · June 28, 2021, 8:31pm

I know this is not directly related to Pihole. The chances are that someone stumbled across this issue as well with pihole. Network mode host is not really an option. I might reach out to the docker community as well.

Roo · July 3, 2021, 6:18pm

Until very recently I was running pi-hole in a container - and observed the same thing you did. All of my IPv6 traffic was coming from a NAT address due to how docker was managing the network.

I did not try running with --network host but that might fix the issue simply allowing your container to have direct access to the host network stack. I don't know the docker compose syntax (sorry)

I just lived with the limitation (until I caved and got a Rpi4 to be a dedicated pi-hole).

I also explored the macvlan option Docker and macvlan networking (IPv4) – Roo's View - but never got a suitable solution to deal with IPv6 for macvlan (I believe it is possible, but docker + IPv6 is out on the hairy edge of sort of working from what I can tell)

system · July 24, 2021, 6:18pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.