Is IPv6 working for me or not?

Help
1

Hey guys! Love Pihole such a great tool. I have it running on my home server (ubuntu) using docker-compose and everything runs smoothly.

One thing I've come to realize is that I never really configured Pihole to work with IPv6. But in the Pihole dashboard I can see that there are many (more than 30%) AAAA (IPv6) requests and furthermore that some of them are being blocked.

Is this working somehow even though I did not set it up? If it's not working why am I seeing what I am seeing?

Just for clarification, when I'm saying I did not set it up I mean that I neither told my router to only use IPv4 (both are allowed) nor did I set a local DNSv6 server. I've only set a local DNSv4 server.

I would really appreciate any input on this.

2

There’s a distinction here between a DNS request made over IPv6, and a DNS request made for an AAAA record (an IPv6 lookup)… which could be over IPv4 or 6. One can look up a v4 or 6 address with a v4 or 6 DNS query.

Do an ifconfig. Does your network interface have an fe80:… address, or that plus like 2-4 more IPv6 addresses? If you just see the one (that’s a link-local address), your router doesn’t appear to be doing IPv6, or at least isn’t telling devices how to configure properly.

I’ve only set a local DNSv4 server.

If that’s all you did and you’re not seeing ads leak through, you probably just don’t have IPv6 on your LAN. You could also verify on your router if it’s enabled or not. If IPv6 networking was enabled and your Pi wasn’t specifying one, presumably devices would be getting the default v6 DNS server with it, and you’d see ads find their way in.

The pie chart on the admin page that breaks down upstream server queries would show you if they’re ultimately going to a v4 or v6 server. I suspect those are all v4.

1 Like
3

Could you give me an ELI5 for this? Not that experienced in networking, I thought I'm either looking up a v4 or v6 address and that's it.

When I do an ifconfig I get a huge amount of output. Not sure what all those "br-..." entries are but I think we are curious what the "enp..." one says because that refers to the homelab network, correct? For that one two different "inet6" entries exist. One of them starts with "fe80..." (link) and there is also a "global" one. Could you give me an ELI5 on this too? I would really appreciate it. Why are there two different inet6 entries and what's up with the "fe80"?

It does seem to be enabled.

Is there any way I could test this?

I'm assuming you are referring to the pie chart on the "Dashoard" page with the title "Upstream servers". I'm not sure how to determine if those servers are "v4" servers.

I know these are many questions but please don't give up and help a newcomer out here :slightly_smiling_face:

4

Could you give me an ELI5 for this?

In this output, I'm 1) querying my server with IPv4, asking for a A record, 2) querying IPv4 and asking for an AAAA, 3) querying with IPv6 and requesting an A record, and 4) querying IPv6 and requesting AAAA.

rewt@cairon:~ $ dig google.com | egrep "ANSWER SECTION|Query time" -A 1
;; ANSWER SECTION:
google.com.		237	IN	A	142.251.214.142
--
;; Query time: 0 msec
;; SERVER: 192.168.1.3#53(192.168.1.3) (UDP)
rewt@cairon:~ $ dig google.com AAAA | egrep "ANSWER SECTION|Query time" -A 1
;; ANSWER SECTION:
google.com.		283	IN	AAAA	2607:f8b0:4005:814::200e
--
;; Query time: 15 msec
;; SERVER: 192.168.1.3#53(192.168.1.3) (UDP)
rewt@cairon:~ $ dig google.com @::1 | egrep "ANSWER SECTION|Query time" -A 1
;; ANSWER SECTION:
google.com.		212	IN	A	142.251.214.142
--
;; Query time: 15 msec
;; SERVER: ::1#53(::1) (UDP)
rewt@cairon:~ $ dig google.com @::1 AAAA | egrep "ANSWER SECTION|Query time" -A 1
;; ANSWER SECTION:
google.com.		259	IN	AAAA	2607:f8b0:4005:814::200e
--
;; Query time: 3 msec
;; SERVER: ::1#53(::1) (UDP)

So, what kind of record is being requested doesn't indicate what kind of address was used to reach the DNS server. You can do all the combinations.

When I do an ifconfig I get a huge amount of output.

Did you run that on your pi?

Could you give me an ELI5 on this, too?

IPv6 interfaces can have lots of addresses. The fe80:... address is the "link-local" address. Devices autoconfigure this, and it's used basically only for communicaiton with the router. When a proper IPv6 setup takes place (whether that's DHCPv6, or SLAAC where devices are allowed to configure their own addresses with a prefix), the device gets a 2XXX:... address, a "global unicast" address. This is one that--if your firewall allowed it--would be reachable from the outside world.

Then, some setups also include a "unique local" address, which starts with something like fd67:..., and are vaguely the equivalent of local 192.168.1.x kind of addresses. They allow local devices to be reliably addressed by other local devices.

THEN, some clients generate temporary addresses, to minimize tracking. You may see two 2XXX or also two fd67 addresses.

What I was saying is that if you don't have interfaces with 2XXX:... addresses assigned to them, one way or another they are not set up to properly use IPv6 on that network. Whether that's due to IPv6 not being set up, or not being set up correctly and coincidentally not working, I'm not sure.

Is there any way I could test this? (ads coming in)

My approach isn't super-scientific, but I go to this site: Test Ad Block - Toolz

I know that with the standard block list that comes with pihole, about 57% of the ads get blocked. So if you have the standard block list and see less than 57% getting blocked, they're getting through somehow.

I'm assuming you are referring to the pie chart on the "Dashoard" page with the title "Upstream servers". I'm not sure how to determine if those servers are "v4" servers.

Heh... good point. That is what I meant but you're right: it doesn't show you. In your settings for the pihole's upstream servers, there's no IPv6 DNS servers selected at all?

1 Like
5

Do you mean that we provide our own address as IPv6 to the DNS server or that we find the DNS server using its IPv6 address, or both?

On my home server, yes.

Got it, thanks!

I do have one. The "global" one. So I assume my home server is set up properly to use IPv6.

For me about 70% of the ads are getting blocked. So that's the thing that is so interesting here. It seems to work fine but I don't understand why it's working. According to my understanding it shouldn't be working.

That is correct, for Settings -> DNS -> Upstream DNS Servers I've only selected IPv4 servers.

But (another uneducated question incoming) I've only set up Pihole as my local DNSv4 server. This creates two questions for me.

  1. Are IPv6 requests even routed via my Pihole? Since I have not set Pihole as a local DNSv6 server my understanding is that it should not even be used for such requests in the first place.

  2. For all requests in general, since Pihole is set up as my local DNS server doesn't that mean that my router handles the upstream requests? So it shouldn't matter what the upstream DNS server settings in Pihole are.

6

If you ping -6 google.com, can you ping Google via an IPv6 address?

1 Like
7

Yes, I can ping google.com using IPv6 from my home server.

8

Hrm... so you've got IPv6. So why not go in to the (presumably-enabled) IPv6 settings on your router, and either add in your pihole to the DNS, or disable IPv6?

9

I mean I guess I could just do that but I do not really have a problem in and of itself, so I don't see a reason to change anything. The sole reason I came here is to understand why something is working even though it should not be.

10

Maybe IPv6 networking is set up but something’s wrong with getting DNS servers for it from the router?

What does a dig -6 [some site] show as the DNS server? Or, does another device like your phone pick up a DNS IPv6 server?

11

Doing dig -6 google.com on my server gives back the IPv6 loopback address. Which indicates that the DNS resolution happens locally. Which kind of makes sense, I guess, since I've set my Pihole (server) to be the local DNS server. Not for IPv6 though so that's odd. What's also weird is that this is not the final/actual DNS server but dig still gives this output.

Doing dig -6 google.com on my client computer retrieves an even weirder result. I'm getting a "communications error, connection refused, no servers could be reached" when trying to reach my local DNS server BUT at the same time my client computer can open https://ipv6.google.com/ and gets a 10/10 on https://test-ipv6.com/
So I do have IPv6 access on my client computer.

12

Ok, yeah: I think it’s just the IPv6 DNS that’s not set up on the router, but IPv6 networking is. That would explain why on your pihole itself it can do a IPv6 resolution but a client can’t even though it does have IPv6 networking enabled. The pihole (without changing anything) installs able to accept IPv6 requests, so locally it can by itself.

That might also explain why you get a higher block percentage on that ad-block test site (you said you were getting like 70% on a client computer, right?): the IPv6-requested ones just aren’t going through at all.

BUT at the same time my client computer can open https://ipv6.google.com…

Like we were talking about earlier, it could be fetching the AAAA record from your pihole over IPv4. Then once it gets the reply (an IPv6 address), it connects over IPv6.

Are there IPv6 DNS settings on the router that you can adjust?

1 Like
13

Ok, so I've got new insights. The issue is not the router but my main desktop computer using LAN. Using my laptop over a wifi connection results in the expected behavior. I get an output for dig -6 google.com and using the test tool you linked above I only get about 40% block rate. I therefore conclude that my clients that are using wifi correctly connect using a v6 query via my router, bypassing my Pihole, which is what I did expect in the first place.

Exactly there seems to be an issue with v6 queries on this machine specifically.

Yes, I still haven't really understood what "fetching over IPv4" exactly means in detail but yes this is what seems to be happening.

New question is why my main machine doesn't do v6 queries.

14

Just to be clear… a good one? Something still seems off (with the working theory of what’s happening here): if you’ve got the standard blocklist that the pihole installer suggests, it should block more than 40%.

1 Like
15

The output seems good to me.

You initially said

and this is what seems to be happening on other devices in my network. 40% is less than 57%, and that could be since the requests over IPv6 are not actually getting routed via Pihole and therefore are getting through.

For my main machine, on the other hand, which I used for all tests up until now, the block rate is 70% because requests over IPv6 don't get through on this machine in the first place.

I think we've figured it out. Although I still have no idea why connections via IPv6 on this machine do not work. The problem is definitely not the router. Only obvious difference between this machine and the others is that this one is connected via LAN. But I guess this is the wrong forum for this matter since that is a pure network issue and has nothing to do with Pihole.

16

Pihole blocking, even with a standard list, is going to vary wildly based on alot of factors to include sites visited, number of clients, browers setups etc. Its best not to get hung up the percentage as long as adds are being block as expected.

17

Yes, but this has been kind of the issue here. What is actually expected?

The premise of this thread is that I was under the impression that my setup should not be working while it does seem to be working. But I cannot verify that it is indeed working because there are no tests for that. I have no idea if an ad got blocked because everything works fine or because I got lucky and it was an IPv4 query (while IPv6 would not have worked) or if it did not get through in the first place because it is IPv6 and IPv6 does not work on the machine.

18

Understood. I do not have IPV6 turned on at all so I can't help there. Just wanted to clarify that there is no such thing as an expected block percentage.

I will say that I do see AAAA records as well but if I do a dig -6 bing.com it will show connection refused where a dig -4 bing.com will resolve. You could try a similiar test from the client in question. You may need to adjust the command if its a window machine etc but nslookup does have a tack for just AAAA records.

19

Right... the focus here isn't on making that percentage higher, or achieving that percentage of ads blocked in general or anything like that.

On this particular ad-block "testing" site, I just know--from having done this over and over recently--that pihole blocks 80/140 of the ads it tests there (with ipv4 and v6 working). If way less are blocked, I know ad domains are leaking in somehow. If way more are blocked, I know that some queries that should resolve aren't... because I didn't just update gravity and my list couldn't have changed.

20

What has me unsure of that, is that 1) we've established that you have IPv6 communication with the outside world, but did not set up your pi's DNS in IPv6 (right? You said you put in the v4 only). Presumably the router is supplying an IPv6 one instead. And 2) none of your devices seem to be blocking the expected percentage on that site. It seems like one can't do all the requests (and appears to "block" more), and the other is letting some ads through that I'd expect it to block.

Given number 1 here, what's the plan now? It seems like IPv6 is half-set up if it's not using the pihole DNS, but available on the network.