IPv6 DNS Search-Domain und NTP-Server per DHCP6 verteilen (Fritzbox mit Pihole)

Help Deutschsprachige Hilfe
1

Mein Ziel

Ich möchte die IPv6-Adresse meines Pihole als ntp-Server per DHCP6 an die Clients verteilen. Außerdem die DNS-Search-Domain "internal".

Frage

Wie muss ich Pihole (und ggf. die Fritzbox) konfigurieren das zu erreichen?
(Pihole als DNS-Server wird von der Fritzbox per RA verteilt - das funktioniert also.)

Bestehende Konfiguration

Fritzbox:

Internet-Zugangsdaten/DNSv6-Server: fd00::ebc3:6948:68ee:2f9 (mein Pihole)
Netwerk/Erweiterte Netzwerkeinstellungen/IPv6:

  • Router Advertisement im LAN aktiv: eingeschaltet
  • Unique Local Addresses (ULAs) immer zuweisen (ULA-Präfix: fd00::/64)
  • DNSv6-Server auch über Router Advertisement bekanntgeben (RFC 5006): eingeschaltet
  • Lokaler DNSv6-Server: fd00::ebc3:6948:68ee:2f9 (mein Pihole)
  • DHCPv6-Server in der FRITZ!Box deaktivieren: eingeschaltet,
    Option "das O-Flag in den Router-Advertisement-Nachrichten der FRITZ!Box aktivieren": ausgewählt

Pihole:

  • ntp.ipv6.active: Enabled
  • dhcp.ipv6: Enabled --> das führt aber dazu, dass der Pihole ein zusätzliches RA aussendet, was a) zu einer doppelten Default-Route führt (einmal zur Fritzbox und einmal zum Pihole) sowie b) sich der pihole als Gateway einträgt (fe80::3e24:71fd:bb9:2a62). Siehe Beispiel unten.

Auswirkung auf einen Client (ein Raspberry Pi namens "pi1b"):

Verhalten vor und nach dem Einschalten von DHCP6 auf dem Pihole:

dhcp.ipv6 disabled:

christian@pi1b:~ $ nmcli -f ip6,dhcp6 con s "Wired connection 1" 
IP6.ADDRESS[1]:                         2003:c1:c74d:c400:1b6a:3ba:79f8:d5cf/64
IP6.ADDRESS[2]:                         fd00::54b3:7340:eb62:f135/64
IP6.ADDRESS[3]:                         fe80::bb1:2ea8:96b6:c165/64
IP6.GATEWAY:                            fe80::1eed:6fff:fe44:c2c5
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024
IP6.ROUTE[2]:                           dst = fd00::/64, nh = ::, mt = 100
IP6.ROUTE[3]:                           dst = 2003:c1:c74d:c400::/64, nh = ::, mt = 100
IP6.ROUTE[4]:                           dst = fd00::/64, nh = fe80::1eed:6fff:fe44:c2c5, mt = 105
IP6.ROUTE[5]:                           dst = 2003:c1:c74d:c400::/56, nh = fe80::1eed:6fff:fe44:c2c5, mt = 100
IP6.ROUTE[6]:                           dst = ::/0, nh = fe80::1eed:6fff:fe44:c2c5, mt = 100
IP6.DNS[1]:                             fd00::ebc3:6948:68ee:2f9

dhcp.ipv6: enabled

christian@pi1b:~ $ nmcli -f ip6,dhcp6 con s "Wired connection 1" 
IP6.ADDRESS[1]:                         2003:c1:c74d:c400:1b6a:3ba:79f8:d5cf/64
IP6.ADDRESS[2]:                         fd00::54b3:7340:eb62:f135/64
IP6.ADDRESS[3]:                         fe80::bb1:2ea8:96b6:c165/64
IP6.GATEWAY:                            fe80::3e24:71fd:bb9:2a62
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024
IP6.ROUTE[2]:                           dst = fd00::/64, nh = ::, mt = 100
IP6.ROUTE[3]:                           dst = 2003:c1:c74d:c400::/64, nh = ::, mt = 100
IP6.ROUTE[4]:                           dst = fd00::/64, nh = fe80::1eed:6fff:fe44:c2c5, mt = 105
IP6.ROUTE[5]:                           dst = 2003:c1:c74d:c400::/56, nh = fe80::1eed:6fff:fe44:c2c5, mt = 100
IP6.ROUTE[6]:                           dst = ::/0, nh = fe80::3e24:71fd:bb9:2a62, mt = 100
IP6.ROUTE[7]:                           dst = ::/0, nh = fe80::1eed:6fff:fe44:c2c5, mt = 100
IP6.DNS[1]:                             fd00::ebc3:6948:68ee:2f9
IP6.DNS[2]:                             2003:c1:c74d:c400:6899:9634:3c37:333e
IP6.SEARCHES[1]:                        internal
DHCP6.OPTION[1]:                        dhcp6_client_id = 00:04:47:7d:db:e7:f4:9f:f6:be:30:41:70:58:ae:58:e3:6f
DHCP6.OPTION[2]:                        dhcp6_domain_search = internal
DHCP6.OPTION[3]:                        dhcp6_name_servers = fd00::ebc3:6948:68ee:2f9
DHCP6.OPTION[4]:                        iaid = 2b:50:67:35
2

I dont have any means to test bc I dont have IPv6 on my LAN, but below some pointers that might be helpful:

$ pihole-FTL --list-dhcp6
Known DHCPv6 options:
[..]
 24 domain-search
[..]
 31 sntp-server
[..]
 56 ntp-server

$ man dnsmasq
[..]
       -O,     --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-en‐
       cap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-
       name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
              Specify  different  or extra options to DHCP clients. By de‐
              fault, dnsmasq sends some standard options to DHCP  clients,
              the netmask and broadcast address are set to the same as the
              host running dnsmasq, and the DNS server and  default  route
              are  set  to  the  address  of  the machine running dnsmasq.
              (Equivalent rules apply for IPv6.) If the domain name option
              has been set, that is sent.  This configuration allows these
              defaults to be overridden, or other options  specified.  The
              option,  to  be  sent may be given as a decimal number or as
              "option:<option-name>" The option numbers are  specified  in
              RFC2132  and  subsequent RFCs. The set of option-names known
              by dnsmasq can be  discovered  by  running  "dnsmasq  --help
              dhcp".   For  example,  to  set  the default route option to
              192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option
              =  option:router, 192.168.4.4 and to set the time-server ad‐
              dress to 192.168.0.4, do --dhcp-option =  42,192.168.0.4  or
              --dhcp-option  =  option:ntp-server, 192.168.0.4 The special
              address 0.0.0.0 is taken to mean "the address of the machine
              running dnsmasq".
[..]
              IPv6 options are specified using the option6: keyword,  fol‐
              lowed  by  the option number or option name. The IPv6 option
              name space is disjoint from the IPv4 option name space. IPv6
              addresses in options must be bracketed with square brackets,
              eg.  --dhcp-option=option6:ntp-server,[1234::56]  For  IPv6,
              [::]  means  "the global address of the machine running dns‐
              masq", whilst [fd00::] is replaced with the ULA, if  it  ex‐
              ists, and [fe80::] with the link-local address.

Above man page can be referenced below:

Those dhcp-option=option6 directives can be added via the misc.dnsmasq_lines "expert" setting on the Pi-hole webGUI or you can activate the misc.etc_dnsmasq_d setting and drop the directives in a new config file of your own.

Below one can show IPv6 RA details (including the source MAC address of the RA etc):

sudo pihole-FTL dhcp-discover

If you install nmap with below:

sudo apt install nmap

You can try run below to check whats advertised via DHCPv6:

sudo nmap -6 --script broadcast-dhcp6-discover

FYI:

$ apt show nmap
[..]
 Nmap is a utility for network exploration or security auditing. It
 supports ping scanning (determine which hosts are up), many port
 scanning techniques, version detection (determine service protocols
 and application versions listening behind ports), and TCP/IP
 fingerprinting (remote host OS or device identification). Nmap also
 offers flexible target and port specification, decoy/stealth scanning,
 sunRPC scanning, and more. Most Unix and Windows platforms are
 supported in both GUI and commandline modes. Several popular handheld
 devices are also supported, including the Sharp Zaurus and the iPAQ.

$ cat /usr/share/nmap/scripts/broadcast-dhcp6-discover.nse
[..]
-- @usage
-- nmap -6 --script broadcast-dhcp6-discover
--
-- @output
-- | broadcast-dhcp6-discover:
-- |   Interface: en0
-- |     Message type: Advertise
-- |     Transaction id: 74401
-- |     Options
-- |       Client identifier: MAC: 68:AB:CD:EF:AB:CD; Time: 2012-01-24 20:36:48
-- |       Server identifier: MAC: 08:FE:DC:BA:98:76; Time: 2012-01-20 11:44:58
-- |       Non-temporary Address: 2001:db8:1:2:0:0:0:1000
-- |       DNS Servers: 2001:db8:0:0:0:0:0:35
-- |       Domain Search: example.com, sub.example.com
-- |_      NTP Servers: 2001:db8:1111:0:0:0:0:123, 2001:db8:1111:0:0:0:0:124
1 Like
3
Im Unterschied zum Router bietet Pi-hole standardmässig überhaupt keine Routen über RAs an, weder auf eine aktiv vom Client angefragte 'Router Solicitation' noch über regulär periodisch ausgesendete RAs (klicken für Details).

Aktiv angeforderte Router Solicitation (sudo pihole-FTL dhcp-discover)

Router Pi-hole
* Received 136 bytes from fe80::<fritz.box.LLA.iid> @ eth0 * Received 120 bytes from fe80::<machine.hosting.pihole.LLA.iid> @ eth0
Hop limit: 255 Hop limit: 64
Stateful address conf.: No Stateful address conf.: No
Stateful other conf.: No Stateful other conf.: Yes
Mobile home agent: No Mobile home agent: No
Router preference: High Router preference: Medium
Neighbor discovery proxy: No Neighbor discovery proxy: No
Router lifetime: 1800 s Router lifetime: 1800 s
Reachable time: N/A Reachable time: N/A
Retransmit time: N/A Retransmit time: N/A
- Prefix: fd08:<ULA.prefix.details>::/64 - Prefix: fd08:<ULA.prefix.details>::/64
Valid lifetime: 7200 sec Valid lifetime: 7194 sec
Preferred lifetime: 3600 sec Preferred lifetime: 3594 sec
On-link: Yes On-link: Yes
Autonomous address conf.: Yes Autonomous address conf.: Yes
- Prefix: 2001:<GUA.prefix.details>::/64 - Prefix: 2001:<GUA.prefix.details>::/64
Valid lifetime: 7200 sec Valid lifetime: 7194 sec
Preferred lifetime: 3600 sec Preferred lifetime: 3594 sec
On-link: Yes On-link: Yes
Autonomous address conf.: Yes Autonomous address conf.: Yes
MTU: 1492 bytes (valid) MTU: 1492 bytes (valid)
- Route: ::/0 Recursive DNS server 1/1: 2001:<GUA.prefix.details>:<machine.hosting.pihole.GUA.iid>
Route preference: High DNS server lifetime:3594 sec
Route lifetime: 1800 sec
- Route: 2001:<GUA.prefix.details>::/56
Route preference: High
Route lifetime: 1800 sec
- Route: fd08:<ULA.prefix.details>::/64
Route preference: High
Route lifetime: 1800 sec

Periodisches Router Advertisement (sudo radvdump):

Router Pi-hole
# radvd configuration generated by radvdump 2.19 # radvd configuration generated by radvdump 2.19
# based on Router Advertisement from fe80::<fritz.box.LLA.iid> # based on Router Advertisement from fe80::<machine.hosting.pihole.LLA.iid>
# received by interface wlo1 # received by interface wlo1
interface wlo1 interface wlo1
{ {
AdvSendAdvert on; AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off; AdvManagedFlag off;
AdvOtherConfigFlag off; AdvOtherConfigFlag on;
AdvReachableTime 0; AdvReachableTime 0;
AdvRetransTimer 0; AdvRetransTimer 0;
AdvCurHopLimit 255; AdvCurHopLimit 64;
AdvDefaultLifetime 1800; AdvDefaultLifetime 1800;
AdvHomeAgentFlag off; AdvHomeAgentFlag off;
AdvDefaultPreference high; AdvDefaultPreference medium;
AdvLinkMTU 1492; AdvLinkMTU 1492;
AdvSourceLLAddress on; AdvSourceLLAddress on;
prefix 2001:<GUA.prefix.details>::/64 prefix 2001:<GUA.prefix.details>::/64
{ {
AdvValidLifetime 7200; AdvValidLifetime 7084;
AdvPreferredLifetime 3600; AdvPreferredLifetime 3484;
AdvOnLink on; AdvOnLink on;
AdvAutonomous on; AdvAutonomous on;
AdvRouterAddr off; AdvRouterAddr off;
}; # End of prefix definition }; # End of prefix definition
prefix fd08:<ULA.prefix.details>::/64 prefix fd08:<ULA.prefix.details>::/64
{ {
AdvValidLifetime 7200; AdvValidLifetime 7084;
AdvPreferredLifetime 3600; AdvPreferredLifetime 3484;
AdvOnLink on; AdvOnLink on;
AdvAutonomous on; AdvAutonomous on;
AdvRouterAddr off; AdvRouterAddr off;
}; # End of prefix definition }; # End of prefix definition
route ::/0 RDNSS 2001:<GUA.prefix.details>:<machine.hosting.pihole.GUA.iid>
{ {
AdvRoutePreference high; AdvRDNSSLifetime 3484;
AdvRouteLifetime 1800; }; # End of RDNSS definition
}; # End of route definition ``
`` }; # End of interface definition
route 2001:<GUA.prefix.details>::/56
{
AdvRoutePreference high;
AdvRouteLifetime 1800;
}; # End of route definition
route fd08:<ULA.prefix.details>::/64
{
AdvRoutePreference high;
AdvRouteLifetime 1800;
}; # End of route definition
}; # End of interface definition

Bitte lade ein Debug Log hoch und poste hier anschließend nur die Token-URL.
Das Token generierst Du über

pihole -d

Falls Pi-hole als Docker-Container läuft:

docker exec -it <pihole-container-name-or-id> pihole -d

wobei Du <pihole-container-name-or-id> passend ersetzt.

In beiden Varianten ist die Frage nach dem Upload am Ende des Vorgangs zu bejahen.

Wozu möchtest Du das überhaupt ändern?

Üblicherweise beziehen aktuelle Betriebssysteme ihre IPv6-Netzwerkparameter nicht über DHPCv6, sondern über NDP. Es gibt sogar Betriebssysteme, die DHCPv6 grundsätzlich überhaupt nicht unterstützen - Android ist hier das Paradebeispiel.

Zudem können Fritzboxen sich selbst als NTP-Server im Heimnetz anbieten. Wozu also einen weiteren NTP-Server aufsetzen?

Und weshalb möchtest eine abweichende interne Domäne etablieren?
Die lokale Domäne ist ja in Fritzbox-Routern fest als fritz.box definiert und kann auch nicht geändert werden.

1 Like
4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

6

Servus nochmal,

danke für’s Wiederaufsperren des Threads. :slight_smile:

Um noch die Frage “Warum das Ganze?” zu beantworten: Als Vorbereitung für eine interne Domäne der Form zuhause.beispiel.eu die dann mit mit einem Reverse Proxy und Let’s Encrypt-Zertifikaten arbeiten soll. “internal” ist aber im Experimentierstadium erstmal weniger Tipparbeit als “zuhause.beispiel.eu” :slight_smile: .

Hier die Lösung, die ich inzwischen gefunden habe:

Pihole-Einstellungen:

  • dns.domain.name: internal

  • dhcp.ipv6 deaktiviert

  • misc.dnsmasq_lines hat folgende Einträge:

  • # Optionen für alle IPv4-Netze
dhcp-option=option:ntp-server,10.143.65.12,10.143.65.16

# IPv6 
ra-param=*,low,0,0
dhcp-range=::,constructor:*,ra-stateless
dhcp-option=option6:dns-server,[fd00::12]
dhcp-option=option6:ntp-server,[fd00::12],[fd00::16]
dhcp-option=option6:domain-search,internal

Fritzbox-Einstellungen:

  • Router Advertisement im LAN aktiv: eingeschaltet
  • Unique Local Addresses (ULAs) immer zuweisen (ULA-Präfix: fd00::/64): eingeschaltet
  • DNSv6-Server auch über Router Advertisement bekanntgeben (RFC 5006): eingeschaltet
  • Lokaler DNSv6-Server: fd00::12 (mein Pihole)
  • DHCPv6-Server in der FRITZ!Box deaktivieren: eingeschaltet,
    Option "das O-Flag in den Router-Advertisement-Nachrichten der FRITZ!Box aktivieren": ausgewählt

Das führt dann auf einem Client zu folgender Konfiguration:

christian@flusi:~$ nmcli -f ip6,dhcp6 con s "Standard DHCP4_IPv6" 
IP6.ADDRESS[1]:                         2003:c1:c72a:db00:677c:ab09:1c4e:e76/64
IP6.ADDRESS[2]:                         fd00::7498:dee9:61b:e6e4/64
IP6.ADDRESS[3]:                         fd00::1bae:ca31:42e4:2c4e/64
IP6.ADDRESS[4]:                         2003:c1:c72a:db00:d4ee:7ee8:bc8f:780d/64
IP6.ADDRESS[5]:                         fe80::c05c:7f6a:5fcf:79bf/64
IP6.GATEWAY:                            fe80::1eed:6fff:fe44:c2c5
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024
IP6.ROUTE[2]:                           dst = 2003:c1:c72a:db00::/64, nh = ::, mt = 100
IP6.ROUTE[3]:                           dst = fd00::/64, nh = ::, mt = 100
IP6.ROUTE[4]:                           dst = fd00::/64, nh = fe80::1eed:6fff:fe44:c2c5, mt = 105
IP6.ROUTE[5]:                           dst = 2003:c1:c72a:db00::/56, nh = fe80::1eed:6fff:fe44:c2c5, mt = 100
IP6.ROUTE[6]:                           dst = ::/0, nh = fe80::1eed:6fff:fe44:c2c5, mt = 100
IP6.DNS[1]:                             fd00::12
IP6.SEARCHES[1]:                        internal
DHCP6.OPTION[1]:                        dhcp6_client_id = 00:04:fe:47:69:5b:41:53:2b:44:9d:ec:66:04:1f:bd:c3:0f
DHCP6.OPTION[2]:                        dhcp6_domain_search = internal
DHCP6.OPTION[3]:                        dhcp6_name_servers = fd00::12
DHCP6.OPTION[4]:                        dhcp6_ntp_servers = fd00::12 fd00::16
DHCP6.OPTION[5]:                        iaid = ef:32:f7:d8

Und der NTP-Server wird vom Linux-Client mit Chrony auch übernommen (Windows ignoriert das tatsächlich…):

christian@flusi:~$ chronyc -n sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 10.143.65.12                  2   6   377    23  -3890ns[ +746ns] +/- 6525us
^+ 10.143.65.16                  2   6   377    23   +102us[ +102us] +/- 6910us
^+ fd00::12                      2   6   377    21    +11us[  +11us] +/- 6568us
^? fd00::16                      0  10     0     -     +0ns[   +0ns] +/-    0ns