Ipv6 resolving error on pi-hole diagnosis

Josef_Venture · February 9, 2025, 1:26pm

Expected Behaviour:

on my raspberry 3b+ I went from Debian 11 to 12 starting from scratch;
after installing the pi-hole I restored my teleporter backup.

pihole seems to work as expected on my home network;
Anyway, I made a diagnosis hoping everything was ok.

Actual Behaviour:

I have an ip6 resolving error like this:

[ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] expert-helps.com is 2a02:4780:27:1371:0:e4a:cc15:3 on lo (::1)
[✓] expert-helps.com is 2a02:4780:27:1371:0:e4a:cc15:3 on eth0 (2a01:e11:603f:c510:8f8a:e0c9:a809:dc6d)
[✗] Failed to resolve expert-helps.com on eth0 (fe80::45b5:cc54:9fc7:f7e)
[✓] doubleclick.com is 2a00:1450:4002:410::200e via a remote, public DNS server (2001:4860:4860::8888)

the old setup didn't have this error, but other than that everything seems to work.
if there is something else in pi-hole diagnosis that needs fixing please let me know...
A thousand thanks

Debug Token:

https://tricorder.pi-hole.net/A4qyKJRy/

Bucking_Horn · February 9, 2025, 1:51pm

By itself, that failing test for LLA resolution isn't reason of concern, see DNS resolution on LLA address fails - #2 by Bucking_Horn.
Especially if you would configure your router (Freebox?) to not advertise any IPv6 addresses as local DNS server, exclusively using its IPv4's DHCP server for distributing Pi-hole's IPv4 address as your sole DNS server.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

But if your router would neither support disabling IPv6 RDNSS router advertisements nor setting a custom IPv6 address for DNS, your IPv6-capable clients will always be able to bypass Pi-hole via IPv6.

You could then try to mitigate this, by setting Pi-hole as the only upstream of your router, provided your router supports it.
But note that you won't be able to attribute DNS requests to original individual IPv6 clients in such a configuration.

Josef_Venture · February 9, 2025, 2:18pm

well, on my iliadbox router I have these settings on ipv6 config:

-general: ipv6 firewall: enabled
firevall on delegations: enabled

-DHCPV6: disabled

-DNS IPV6: force personal IPV6 dns server:
primary IPV6 DNS server: I entered my pi-hole ipv6 address

ifconfig from my pi-hole:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.200  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::45b5:cc54:9fc7:f7e  prefixlen 64  scopeid 0x20<link>
        inet6 2a01:e11:603f:c510:8f8a:e0c9:a809:dc6d  prefixlen 64  scopeid 0x0<global>

I entered the ip: fe80::45b5:cc54:9fc7:f7e
is this config right?

also, my phone use both ipv4 and ipv6 and pihole filtering seems to work (no pi-hole bypass)

Josef_Venture · February 10, 2025, 9:09pm

ok, after having studied better how ipv6 works, I realized that I should use an ULA address (fcxx) instead of the LLA (fe80) for pihole (it' normal that LLA fail resolution).
also LLA could change, ULA is "static"; so I added a new ULA to my pihole, then I used it in my router.
new ULA (fd01:2345:6789:abcd::2) seems to work as expected:

*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] www.litra.com.mk is litra.com.mk. on lo (::1)
[✓] www.litra.com.mk is litra.com.mk. on eth0 (fd01:2345:6789:abcd::2)
[✓] www.litra.com.mk is litra.com.mk. on eth0 (2a01:e11:603f:c510:8f8a:e0c9:a809:dc6d)
[✗] Failed to resolve www.litra.com.mk on eth0 (fe80::45b5:cc54:9fc7:f7e)
[✓] doubleclick.com is 2a00:1450:4002:410::200e via a remote, public DNS server (2001:4860:4860::8888)

full diagnosis here:
https://tricorder.pi-hole.net/7TN8mNvA/

so, now my config should be ok?

Bucking_Horn · February 11, 2025, 9:04am

No, you misunderstood the linked post:
It's expected that the debug log test would fail if the host OS requires LLAs to carry a scope id to succeed - LLA resolution itself is fully operational.

Also, both LLAs as well as ULAs have a fixed IPv6 prefix, so contrary to GUAs, that portion of an IPv6 is guarantueed not to change, unless you'd change your ULA prefix, whereas the LLA prefix is always fixed.
As far as the interface id portion is concerned, it would depend on your client OS's IPv6 configuration how many different interface ids (and thus IPv6 addresses) would be created, and whether and how often they would change. That said, it would be more likely for LLA IIDs to stay fixed.

Yes, that would be sufficient if you run a flat network, as most home networks are (i.e. all your devices are directly connected to your router, sharing the same network segment/link).
If you run any L3 switching network equipment (e.g. an additional router), LLAs won't work, and ULAs would be the better choice.

As long as your ULA works for you and doesn't change, you can keep using it.

Your debug log still shows that you are defining quite a few clients that are assign to the Default group only.

As discussed in another topic of yours, you don't need to do that.
By default, Pi-hole will filter all DNS requests by the blocklists that are assigned to the Default group.

You'd only need to define those clients that you want to treat differently, assigning them to a different group with different filtering rules.

Josef_Venture · February 11, 2025, 2:38pm

ok, now it's clear

ok, I have only one router in my config at the moment, but maybe that will change in the future; so, I will continue to use ULA anyway.

yes, you're right...I will only assign to the free group the devices that do not need to be filtered, such as my wife's PC who is teleworking (via VPN), all others will not be assigned.
thank you again!!