Issues regarding ipv6

hyperactive68 · July 16, 2023, 2:42pm

For starters, I'm a total noob at this, so please bear with me.
My ISP doesn't allow to fully disable ipv6 in the DHCP settings. I only get 2 options: Stateful (DHCPv6) and Stateless (SLAAC). I have disabled DHCPv4 in the router settings and set up Pi-hole as my DHCP v4 server.

My average queries blocked was always hovering around 10-20%. I wanted to test enabling ipv6 in the Pi-hole settings by enabling the "support ipv6 option" and checking both the upstream boxes for ipv6. Suddenly my blocked queries are at 30-40%. Is this normal? I tested to see if this is noticeable by using a few adblock tester sites. With ipv4, close to nothing is being blocked and with ipv6, nearly everything is getting blocked... Shouldn't the results be the same on both?

And one more thing: ipv6 doesn't use the hostnames (that I can clearly see in the network tab) on the homepage in the webui. I already looked through countless topics but couldn't find a way to get it to work. I already tried things like RESOLVE_IPV6=NO, REFRESH_HOSTNAMES=ALL, NAMES_FROM_NETDB=TRUE, but still get the IP adresses instead of the hostnames for most devices.

Bucking_Horn · July 17, 2023, 3:59pm

Run from a client in your network (not from the machine hosting Pi-hole), what is the output of:

nslookup pi.hole

And run from a Windows machine, what DNS servers is it using?

ipconfig /all

We'd be interested in only the DNS server section of that output.

hyperactive68 · July 17, 2023, 8:24pm

nslookup pi.hole:

Server:  pi.hole
Address:  2a02:a210:223c:a580:6ff6:3714:99f:258c

Name:    pi.hole.lan
Addresses:  2a02:a210:223c:a580:6ff6:3714:99f:258c
          192.168.178.3

ipconfig /all:

   DNS Servers . . . . . . . . . . . : 2a02:a210:223c:a580:6ff6:3714:99f:258c
                                       192.168.178.3
                                       2001:730:3e42:1000::53
                                       2001:730:3e42::53
                                       2a02:a210:223c:a580:6ff6:3714:99f:258c

Bucking_Horn · July 18, 2023, 2:19pm

Those are public DNS servers.

Your router is advertising those IPv6 addresses as DNS servers, allowing your clients to by-pass Pi-hole.

You'd have to find a way to configure your router to advertise your Pi-hole host machine's IPv6 as DNS server or to stop advertising those alternatives.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether (provided you do not rely on IPv6).

If your router doesn't support that either, your clients will always be able to bypass Pi-hole via IPv6.

hyperactive68 · July 18, 2023, 3:00pm

Unfortunately the router doesn't allow fully disabling IPv6. It does allow me to change the DNS servers though. I found the ipv6 by using ip a. I assume that's the one I should be using? The router doesn't allow me to change the ipv4 adress though, it doesn't like local IP's for ipv4 dns for some uknown reason.
For now, it looks like this:

And ipconfig /all now shows the following:

 DNS Servers . . . . . . . . . . . : 2a02:a210:223c:a580:6ff6:3714:99f:258c
                                       192.168.178.3
                                       2a02:a210:223c:a580:6ff6:3714:99f:258c
                                       2a02:a210:223c:a580:6ff6:3714:99f:258c

So is it good now?

deHakkelaar · July 19, 2023, 2:23am

hyperactive68:

And ipconfig /all now shows the following:

 DNS Servers . . . . . . . . . . . : 2a02:a210:223c:a580:6ff6:3714:99f:258c
                                       192.168.178.3
                                       2a02:a210:223c:a580:6ff6:3714:99f:258c
                                       2a02:a210:223c:a580:6ff6:3714:99f:258c

So is it good now?

That looks good for now ...
but that 2a02:a210:XXX address is a GUA (Global Unicast) address as can be seen below:

The prefix (being pushed by your ISP) in a GUA address can change periodically.
Meaning the IP can change and most likely will after a while as with many ISP's.

Preferred is to set the ULA (Unique Local) IPv6 address for DNS which doesnt change:

Or if thats not possible, configure the LLA (Link-Local) address of the Pi-hole host.

You can see what IPv6 addresses are configured on the Pi-hole host with below:

ip -br -6 a

And test connectivity from a client PC (Windows/MacOS/Linux) to above mentioned ULA or LLA addresses with below:

nslookup pi.hole <PIHOLE_IPV6_ADDRESS>

hyperactive68 · July 19, 2023, 3:59am

Unfortunately my ISP does not provide any way to change it to ULA. The only thing I can do is change between Stateful and Stateless.

Output:

lo               UNKNOWN        ::1/128
eth0             UP             2a02:a210:223c:a580:6ff6:3714:99f:258c/64 fe80:: 899f:c6be:36ba:3b77/64

Output:

Server:  pi.hole
Address:  2a02:a210:223c:a580:6ff6:3714:99f:258c

Name:    pi.hole.lan
Addresses:  2a02:a210:223c:a580:6ff6:3714:99f:258c
          192.168.178.3

deHakkelaar · July 19, 2023, 5:44am

Above is a LLA from the diagram.
From that client, run the nslookup against this one eg:

nslookup pi.hole fe80::899f:c6be:36ba:3b77

If get reply, configure it instead of the GUA 2a02:a210:XXXX.

hyperactive68 · July 19, 2023, 1:04pm

Got a reply and tried configuring it, but the router doesn't seem to like LLA, telling me 'it's not a valid IP address".

I'm guessing I'm out of options then?

Bucking_Horn · July 19, 2023, 1:10pm

Perhaps your router doesn't like short-hand IPv6 notation.

Try to provide the address in full, i.e.
fe80:0000:0000:0000:899f:c6be:36ba:3b77

hyperactive68 · July 19, 2023, 1:51pm

Unfortunately, it didn't like that either.

deHakkelaar · July 19, 2023, 4:27pm

The problem arises when your GUA prefix changes on the Pi-hole host.
When it changes, your clients would still be trying to query the old dead GUA and fail.
This isnt a real problem as the clients are also supplied with an IPv4 DNS IP (192.168.178.3) to fall back to.
Clients can resolve DNS names to IPv4 or IPv6 addresses either through IPv4 or IPv6 DNS:

pi@ph5b:~ $ nslookup debian.org 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   debian.org
Address: 149.20.4.15
Name:   debian.org
Address: 128.31.0.62
Name:   debian.org
Address: 130.89.148.77
Name:   debian.org
Address: 2001:4f8:1:c::15
Name:   debian.org
Address: 2001:67c:2564:a119::77
Name:   debian.org
Address: 2603:400a:ffff:bb8::801f:3e

pi@ph5b:~ $ nslookup debian.org ::1
Server:         ::1
Address:        ::1#53

Non-authoritative answer:
Name:   debian.org
Address: 130.89.148.77
Name:   debian.org
Address: 128.31.0.62
Name:   debian.org
Address: 149.20.4.15
Name:   debian.org
Address: 2603:400a:ffff:bb8::801f:3e
Name:   debian.org
Address: 2001:67c:2564:a119::77
Name:   debian.org
Address: 2001:4f8:1:c::15

Can you configure below made up ULA?

fddd:dead:dead::

That way the client queries wont get routed onto the Internet (and fail), and clients will fall back to IPv4 DNS.
But they will still try to connect through IPv6 to the target if a domain holds IPv6 DNS records like above nslookup examples.
Its a bit of a weird hack I know
And maybe someone else can come up with a proper solution for your router make/model.

hyperactive68 · July 19, 2023, 4:36pm

Where should I write this? The router doesn't accept it. So somewhere in the Pi-hole? Sorry, I'm not good with this stuff.

deHakkelaar · July 19, 2023, 4:38pm

At the spot where you previously configured the 2a02:a210:XXXX DNS address on the router.
But if it doesnt accept, I dont know of anything else.

EDIT: You could leave it as is with that 2a02:a210:XXXX address.
But just so you know that eventually that IP will stop responding when the IPv6 GUA prefix changes.

hyperactive68 · July 19, 2023, 4:49pm

Yeah, kinda annoying. My ISP said they can't fully disable IPv6 so kinda stuck like this. I will try and contact them again. But for now, I guess there's nothing else I can do but periodically change the GUA?

deHakkelaar · July 19, 2023, 4:50pm

Or just let it fail so the clients fall back to IPv4 DNS.

Bucking_Horn · July 20, 2023, 8:38am

If you do not provide an IPv6 address at all, would your router allow to leave that entry blank?

If so, would your router then really not advertise an IPv6 address as DNS server, or would it silently advertise some kind of default?

This may work, but likely at the cost of prolongued DNS resolution of IPv6 capable clients. Those would tend to prefer IPv6 over IPv4, probably trying to contact that discontinued address, waiting for a reply until timeout (which may be quite long).
At times, this may result in considerably slowed down user experience on those devices.

Also, in theory, that GUA prefix could have been reassigned to some other customer's network, and a client from that network may actually run a DNS server answering those requests, but not in the way you'd want to (granted, chances for that to happen are pretty slim).

hyperactive68 · July 20, 2023, 2:28pm

Yes there is a default. It gives an error when left blank.

Yeah I had a feeling that might happen. I guess the only other thing I could do is get another router that allows me to either put in a LLA address or outright disable IPv6?

deHakkelaar · July 20, 2023, 3:53pm

@Bucking_Horn , agreed.
Allot of ISP routers arent IPv6 friendly

deHakkelaar · July 20, 2023, 3:55pm

You want one that can do ULA like in below screenshots:

If want to inspect what prefixes are advertised on your LAN via IPv6 router advertisement: