Isp dns still entered through pihole dhcp

brisingir_Eragon · October 27, 2023, 8:47am

Expected Behaviour:

pihole dhcp should only advertise itself for dns within the network. [Clients tested: Win11 (custom pc), android 13(Fairphone 4)] [Pihole: Raspbian GNU/Linux 11 (bullseye)(RPi 4B)]

Actual Behaviour:

all Clients still get a ipv6 adress for dns that is owned by my isp, allowing most requests through the pihole

Debug Token:

https://tricorder.pi-hole.net/9TTo7OMo/

brisingir_Eragon · October 27, 2023, 10:30am

on win 11 i can force it by setting dns assignment to manual and entering a ipv6 adress that always fails but this is still not automatic and wont work on android as even if i enter 2 dns servers there the one from my isp is still shown under ipv6 dns

jfb · October 27, 2023, 2:48pm

There is nothing in your debug log to indicate that Pi-hole is passing out this DNS:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   
   * Received 300 bytes from eth0:192.168.0.22
     Offered IP address: 192.168.0.234
     Server IP address: 192.168.0.22
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.0.22
      lease-time: 86400 ( 1d )
      renewal-time: 43200 ( 12h )
      rebinding-time: 75600 ( 21h )
      netmask: 255.255.255.0
      broadcast: 192.168.0.255
      dns-server: 192.168.0.22
      domain-name: "lan"
      router: 192.168.0.1
      --- end of options ---
   
   DHCP packets received on interface eth0: 1

It appears the IPv6 DNS address is coming from the router.

Bucking_Horn · October 27, 2023, 5:27pm

This has to be addressed on your router.

With IPv6, its your router's job to regularly advertise network details, including IPv6 DNS server addresses.

As your router is advertising its own IPv6 address or those of your ISP as DNS server, naturally that would allow your IPv6-capable clients to by-pass Pi-hole.

You'd have to find a way to configure your router to advertise your Pi-hole host machine's IPv6 as DNS server or to stop advertising its own.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether, provided you'd not depend on IPv6 for reasons.

If your router doesn't support that either, your IPv6-capable clients will always be able to bypass Pi-hole via IPv6.

system · November 17, 2023, 5:27pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.