Your router is advertising those IPv6 addresses as DNS servers, allowing your clients to by-pass Pi-hole.
You'd have to find a way to configure your router to advertise your Pi-hole host machine's IPv6 as DNS server or to stop advertising those alternatives.
You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.
If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether (provided you do not rely on IPv6).
If your router doesn't support that either, your clients will always be able to bypass Pi-hole via IPv6.
Unfortunately the router doesn't allow fully disabling IPv6. It does allow me to change the DNS servers though. I found the ipv6 by using ip a. I assume that's the one I should be using? The router doesn't allow me to change the ipv4 adress though, it doesn't like local IP's for ipv4 dns for some uknown reason.
For now, it looks like this:
The prefix (being pushed by your ISP) in a GUA address can change periodically.
Meaning the IP can change and most likely will after a while as with many ISP's.
Preferred is to set the ULA (Unique Local) IPv6 address for DNS which doesnt change:
Or if thats not possible, configure the LLA (Link-Local) address of the Pi-hole host.
You can see what IPv6 addresses are configured on the Pi-hole host with below:
ip -br -6 a
And test connectivity from a client PC (Windows/MacOS/Linux) to above mentioned ULA or LLA addresses with below:
The problem arises when your GUA prefix changes on the Pi-hole host.
When it changes, your clients would still be trying to query the old dead GUA and fail.
This isnt a real problem as the clients are also supplied with an IPv4 DNS IP (192.168.178.3) to fall back to.
Clients can resolve DNS names to IPv4 or IPv6 addresses either through IPv4 or IPv6 DNS:
That way the client queries wont get routed onto the Internet (and fail), and clients will fall back to IPv4 DNS.
But they will still try to connect through IPv6 to the target if a domain holds IPv6 DNS records like above nslookup examples.
Its a bit of a weird hack I know
And maybe someone else can come up with a proper solution for your router make/model.
At the spot where you previously configured the 2a02:a210:XXXX DNS address on the router.
But if it doesnt accept, I dont know of anything else.
EDIT: You could leave it as is with that 2a02:a210:XXXX address.
But just so you know that eventually that IP will stop responding when the IPv6 GUA prefix changes.
Yeah, kinda annoying. My ISP said they can't fully disable IPv6 so kinda stuck like this. I will try and contact them again. But for now, I guess there's nothing else I can do but periodically change the GUA?
If you do not provide an IPv6 address at all, would your router allow to leave that entry blank?
If so, would your router then really not advertise an IPv6 address as DNS server, or would it silently advertise some kind of default?
This may work, but likely at the cost of prolongued DNS resolution of IPv6 capable clients. Those would tend to prefer IPv6 over IPv4, probably trying to contact that discontinued address, waiting for a reply until timeout (which may be quite long).
At times, this may result in considerably slowed down user experience on those devices.
Also, in theory, that GUA prefix could have been reassigned to some other customer's network, and a client from that network may actually run a DNS server answering those requests, but not in the way you'd want to (granted, chances for that to happen are pretty slim).
Yes there is a default. It gives an error when left blank.
Yeah I had a feeling that might happen. I guess the only other thing I could do is get another router that allows me to either put in a LLA address or outright disable IPv6?
