Please follow the below template, it will help us to help you!
Expected Behaviour:
I have a setup as follows:
Main router which does IPv4 NAT and IPv6 Router Advertisement with RDNSS (ICMPv6 packets contain ISP's DNS adresses)
OpenWRT access point which does IPv4 DHCP and local hostname resolution (based on the leases it gave), also gets its IPv6 address via the RA/RS packets it gets from Main router
PiHole on a RaspberryPi3 with static IPv4 address and IPv6 obtained from Main Router
Everything is in the same broadcast domain
Unfortunately since activating IPv6 in my network, my Windows PC only wants to get its addresses from my ISP DNS servers, and doesn't even fallback to my local DNS servers (PiHole, OpenWRT or Main Router) when the ISPs servers don't know an address (for example, local devices). This means ads are no longer piholed...
PiHole is configured to use OpenWRT as the main DNS server for IPv4 and also to forward local queries to it (via Conditional Forwarding on web UI). I would like to configure it in a way in which it also advertises itself as a DNS server over IPv6 such that I can (1) block ads and (2) resolve local hostnames.
I also don't actually know if PiHole gets its IPv6 DNS servers from the router advertisements or not. I'm kind of wary to put the global IPv6 address of the router, since that might change (I have Prefix Delegation on a PPPoE connection). I could get away with using its LinkLocal address?
Actual Behaviour:
PiHole only gets requests for IPv4 addresses, while Windows only queries my ISP's IPv6 DNS servers.
I've tried disabling RDNSS on my router but that causes my Android devices to take forever to load pages (since they wait for timeout on IPv6 name resolution before trying IPv4)
I don't want to disable IPv6 on my network
This is a situation where probably no good solution is available. The problem is that the nature of IPv6 is very much decentralized and the standard does not provide a method for prescribing the DNS server that is to be used inside a network (in contrast to IPv4 where the DNS server is well defined and (has to be) centrally managed by the DHCP server).
When you disable IPv6 in your network, you may need to restart your Android devices so that they forget about the previously available IPv6 DNS servers. They still work in IPv4-only networks so it can only be a caching issue. I just put this here although I heard you that you don't want to disable IPv6 in your network.
The only conclusion I can see is that you need to do one of the following three things (top to bottom = increasing complexity):
Disable IPv6 (already ruled out)
Configure the IPv6 server to be used manually on all of your devices
Cascade your OpenWRT in between your ISP router and the rest of your network (not only WiFi, but also wired devices). With sufficiently complex firewall rules, it should be possible to remove the packets that contain the DNSv6 information and only let through the GUA RAs.
Hi @DL6ER and thanks for your reply.
I think I found another solution, although I'm not sure if it's doing what it's supposed to do
I configured my main router to use PiHole's LinkLocal IPv6 address (since I know that's not going to change even if my ISP assigns me a different prefix) as the DNS server, also propagating it through the network with RDNSS option in the RA packets.
I've also configured PiHole to use OpenDNS's IPv6 servers, so that I don't get in a situation where PiHole asks my router for name resolution and my router forwards the request back to PiHole
I still have an issue with my main PC which says it does not have an IPv6 DNS server, although other Windows 10 machines do get it, and so does my phone (which was the main culprit for messing with my existing network - it's on Android Marshmallow and if there's no IPv6 DNS server, all name resolutions take 30s to timeout before falling back to IPv4 name resolution). I'll debug that at the machine level.
Does it make sense to use that LinkLocal address or am I abusing IPv6 in a way it shouldn't be done?
Note that you do not need a IPv6 DNS server. All your clients can equally well send their IPv6 queries to your Pi-hole using its IPv4 address. You only want to ensure that you don't have any mentioning of the ISP's DNS servers within your network, but there is no harm at all if some devices do not have any IPv6 DNS server.
If your main PC has the Pi-hole IPv4 as its only DNS server and no IPv6 server at all, then this is a perfectly healthy setup and your PC will, nevertheless, be able to use the full IPv6 Internet, as, as I already said above, the DNS server can equally well reply to IPv6 questions over an IPv4 communication line. It's similar to that you can equally well transport the same http(s) content over IPv4 or IPv6. The connection itself does not limit the content that is being transported over it.
It's okay to use the LL address, but note that our experience showed that not all client accept LL addresses for DNS servers. Sometimes they call this "DNS rebind protection" and sell this as a security measure as they expect an internal DNS server as home as possible security issues as they think that this is an abnormal installation...
I'm skeptical that this is the true issue. To me, it very much looks like your Android phone wants to connect to a known IPv6 server and only when it cannot reach this one, it falls back to use the IPv4 server. This is a rather strange behavior as, for internal communication, there is basically no reason to prefer IPv6 over IPv4, but that may just be a design decision of Android. However, it cannot be only this as then your phone wouldn't work in networks that don't have IPv6 or that don't broadcast any DNSv6 information at all (which, e.g., is what my standard ISP router does at home - and I'm very thankful for this half-done IPv6 implementation as I can use the full IPv6 Internet without being disturbed by any broadcasted foreign DNS servers).
Normally you would be right, I don't need an IPv6 DNS server, and adding one was a PITA since all my local name resolution (e.g. "printer.local" = 192.168.1.5 - obtained by DHCP lease) went out the door.
However the Android issue was quite obvious and did some research on it. I won't pollute this thread with it, but I've posted my research and how having an IPv6 DNS serve fixes it in this reddit thread. I've referenced other users having similar problems 2-3 years before, although it might be fixed in newer versions (Nougat/Oreo) since my wife didn't complain about it.
Right now everything working fine, I even managed to get my Windows PC to purge its IPv6 lease in order to get it with the new settings (had to use netsh and a couple of commands to delete all IPv6 addresses and DNS servers before issuing an ipconfig /renew6).
Thanks for all the involvement and technical replies, it will be a good thread to come back to if I ever have problems.
