IPv6, PiHole and OpnSense

I'm not sure where to ask this question, so I figured I'd start here and cross-post to the OpnSense forums.

If between one, the other, or both I come up with a working solution - I'll post it in both places.

OpnSense v22.7.*
PiHole v5.*

I've searched and read quite a bit, but the only "HOWTO" or "Cookbook" style guides that touch on all three topics are older (v4 PiHole /v18 OpnSense and below), so options, functionality, etc. are quite different and I can't seem to get things working.

I can get to a "no IPv6 connectivity at all" state, or a "IPv6 bypasses PiHole and resolves every advertising and tracking service on the Public Internet" state, but not the desired state where PiHole both filters and allows White/Black -listing by hostname /IP.

Justification for IPv6:

• My modern Android based devices all support IPv6 by default and it cannot be disabled
• Those same Android devices throw all kinds of on-screen, in-app errors, or generally behave "oddly" if they cannot reach IPv6 destinations (apparently some apps only have IPv6 upstream)
• My ISP (Cox) supports IPv6 and it cannot be disabled
• I would like to extend the "goodness" of PiHole advert blocking to mobile devices that currently bypass ad-blocking by using IPv6
• Whether I like it or not, some of the games and streaming services that I enjoy require adverts or ad-related domains to run, so I need DNS to work for both IPv4 and IPv6 so that I can create per-host whitelist entries in PiHole

My existing IPv4 network looks like:
https://i.imgur.com/Q63iMhY.png
and works well to block ads for anything that has IPv4 only addressing.

Because I subscribe to a Static IPv4 address (needed for some work connectivity), Cox cable provides an IPv6 /60 prefix for all internal devices.

The optimal outcome would be for PiHole to serve up both IPv4 and IPv6 addresses and serve as my internal DNS for both hostname resolution and ad-blocking.

A perfectly acceptable outcome would be for OpnSense to manage IPv6 and send hostname registration to PiHole.

Any thoughts? Suggestions? Testing /logs /etc. I can post that will help?

I'm "old" to IPv4, but now I have to learn about IPv6 and if someone can shorten my learning curve, it would be great!

Your prospect for success would largely depend on your router's configuration, specifically its IPv6 related DNS options, and also on your client's behaviour.

That part is working straight out of the box with Pi-hole.

Note that DNS is indifferent to the transport protocol used: Pi-hole will answer A and AAAA records as requested, regardless whether a client is sending requests via IPv4 or IPv6.

This means that even with public IPv6 connectivity, there is no need to provide an IPv6 address as a local DNS resolver at all, as long as clients are IPv4-capable.

Pi-hole does that as well, but it's up to your router and clients whether that would work as expected.

Just as your router would distribute a local IPv4 DNS server address via DHCP, it may also offer a local IPv6 DNS server address via Stateful DHCPv6, Stateless DHCPv6, or advertise it via SLAAC/NDP, in any combination.

Note that only DHCPv6 would mimic IPv4's DHCP with regard to hostname registration (and also note that even with DHCP, hostname registration with a local DNS server is not compulsory - consequently, there are router models/DHCP servers that would not do so by default).
Clients using SLAAC will never even register a hostname with DHCPv6 at all.

Pi-hole's DHCP server applies some best-effort heuristics to associate IPv6 addresses for a device that also has registered an IPv4 address via DHCP, but there is no guarantuee that this always works.
It would depend on your router's DHCP server if it would make a similar effort.

For IPv6 link-local (range fe80::/10) and ULA addresses (range fd00::/8), you may mitigate missing IPv6 hostnames by creating the respective Local DNS records via Pi-hole's UI.
That would only be feasible for IPv6 addresses that would stay static for a long period.

However, IPv6 addresses are subject to change, and some are even designed to change regularly, either because the IPv6 prefix as supplied by your router changes, or if the client is prompted to (self-)assign a new interface identifier.
Possible triggers would include conditions from IPv6 features like stable, private opaque addresses (RFC7217) or IPv6 Privacy Extensions (RFC8981), you changing your router's ULA prefix, or your ISP assigning you a new prefix on a regular basis.

Public IPv6 GUA addresses (range 2000::/3) would have public names, i.e. they are resolvable via public DNS servers: Your ISP's authoritative DNS server would manage those names. Commonly, you'd see generic names simply encoding the associated IPv6 address as such a public domain name.

In my opinion, probably the best approach would be if you can configure your router to NOT distribute an IPv6 address at all as DNS server (i.e, neither Stateful or Stateless DHCPv6 nor SLAAC/NDP/RA/RDNSS).
If your router would support that, then all your clients would have to use their IPv4 address when sending DNS requests to your Pi-hole host's IPv4 address. Since the vast majority of client OSs are dual-stack or IPv4-only (in fact, I am not aware of a device that can't handle IPv4 by default), I'd personally go for NOT distributing/advertising an IPv6 address as DNS resolver - if that's possible with your router.

That way, your internal DNS traffic would stay IPv4 only.

If your router doesn't support that, you should find a way to configure your router to advertise your Pi-hole host machine's ULA or link-local IPv6 as DNS server.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether (only if you are not relying on IPv6 somehow, of course).

If your router doesn't support that either, your clients will always be able to bypass Pi-hole via IPv6.

pfsense user here, not the same, I know, opnsense is the same in a lot of ways.

I learned the DNS IPv6 entries, configured on the router/firewall are used to provide the clients with an IPv6 DNS address, they will use.

On pfsense, any IPv6 DNS sever entry, configured in the "system / general setup" page, is used by the client. On this page (opnsense - second screenshot) I notice that there are DNS servers listed.

You might try to enter the IPv6 address of your pi-hole here (and remove all other IPv6 addresses from the list. This works for me (pfsense), IPv6 clients use pi-hole (as long as the IPv6 address, configured in the DNS section of the router matches the address of the pi).

image1401×400 36.3 KB

the IPv4 entries ensure the firewall always has access to the internet, regardless of pi-hole functionality. These addresses aren't used to provide the clients with DNS server information (my setup, providing IPv4 DNS addresses in the pfsense DHCP config).

Well, the main issue relates to the last bullet point.

I can more-or-less get IPv6 up and running and force all DNS traffic through the PiHole (which requires NAT and Block rules on the OpnSense - otherwise any host with IPv6 turned on just bypassed the PiHole)

But if I need to Whitelist or Blacklist a host or domain, the PiHole can't (or won't?) apply exceptions to IPv6 connected hosts.

I'm not sure if this is because IPv6 uses DUID versus the MAC by itself, or if it's because the hostnames aren't being registered in PiHole-FTL for their various IPv6 addresses.

The impact is that as soon as I enable any sort of IPv6, any domain /regex filters I try to apply to a host /client /group are non-functional.

How do those lookups register in Pi-hole's Query Log and/or /var/log/pihole/pihole.log?

And please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.