Link-Local-IPv6 as default

bonsi · May 20, 2018, 5:52am

HI,

tl;dr: Pihole should use the link-local-IPv6-address as default.

i recentlty diagnosed a problem with a recent Pihole-Installation at a friends network.

A lot of Webpages on android loaded quite slow and the reason for that was that Pihole resolved some blacklisted domains to the configured IPv6-Address.

The IPv6 in question was 2003:f2:....

The prorblem here in Germany is that certain ISPs don't offer static IPv6-Prefixes, these tend to change on Router reconnect. And if these changes, lookups for IPv6-Domains on Blacklist are resolving to IPv6-Addresses with the old prefix.

To fix that i configured Pihole to use the fe80::... (link-local)-Address

cat /etc/pihole/setupVars.conf
[...]
IPV6_ADDRESS=fe80::2455:7311:8523:a8fc

DanSchaper · May 20, 2018, 5:56am

We use the ULA if it's available and that's a more stable address. It's not as volatile as the ll, since that can change depending on privacy extensions, the particular network segment the interface is attached to and a handful of other cases that cause rotation of that address.

We are aware of the rotation of GUA's and the problem that causes. The installer will check for a ULA and suggest that, it will not use GUA if there is a better option to select.

DanSchaper · May 20, 2018, 5:56am

bonsi · May 20, 2018, 6:05am

In this case there only was a GUA and a link-local-address beginning with fe80 and in some routers one can't activate the usage for ULAs in in the fc/fd-range.

DanSchaper · May 20, 2018, 6:12am

That case is rather rare from what we've seen. Defaulting to a link local is problematic, as it just exists on that single link. The ULA is the preferred approach, by definition though they have to exist in fc00::/7 space. The installer would have allowed the GUA to be entered as in this case there was no ULA as an option. I'm not sure if we can code around a case where ULA is not possible, perhaps a tiered approach of ULA > LL > GUA, but that may be a bit inelegant to implement. @DL6ER do you have any thoughts on this?

DL6ER · May 20, 2018, 7:03am

Hmm, the implementation is not what bothers me, that should be doable fairly straightforward. I'm more wondering about the implications, i.e. if it would make things worse. Example: many users have a non-changing GUA so there is in fact no issue when ULA is not available. Now, what happens if we give these people a LL as default instead? Will all devices be able to reach it?

Thinking about scenarios where they are not strictly on the same link level:

Pi-hole connected over Ethernet, clients connected over WiFi (that may work)
Clients connected over VPN

I think we need to clarify this before implementing.

@bonsi I'm a Deutsche Telekom user myself and equally affected by their GUA rotation. That was the reason for my ULA implementation as my Speedport allow enabling them with a simple click. I've recently switched to a DD-WRT based router and don't use ULAs any longer because with the new NULL IP based blocking of FTLDNS a static IPv6 address is not needed any longer. Maybe this is something you want to try as well?

DanSchaper · May 20, 2018, 7:59am

I'm in agreement with all the points. My primary issue would be with off link devices, any router will drop the Link Local, so only the local collision domain would be able to speak to the Pi-hole. VPN, vLAN, off-link would all no longer be able to use the Pi-hole for DNS resolution as any packets they send with that address would be dropped at the edge of the segment. It's been my understand and practice that Link Local addresses are only for bootstrapping an interface to get it to the condition where it can negotiate DAD with neighbors and to receive stateful addresses.

bonsi · May 20, 2018, 8:16am

Ok, i also agree with these points. Didn't consider the problem regarding VPN/vLANs.

Then, as a modification to that feature request: Could that be a configurable option within the WebUI?

bonsi · May 20, 2018, 8:18am

Hmm.. ftldns - yeah, i'll give it a try Thanks

And thanks for responding that fast

DL6ER · May 20, 2018, 9:10am

I think it may get unnecessary with FTLDNS and its more refined blocking methods.

We could also have FTLDNS hand out

NXDOMAIN for AAAA queries to ads, and
the correct IPv4 of the Pi-hole for A queries.

In theory (just speculating here, I haven't tried anything) this should make all clients fall back to the IPv4 IP for obtaining the blocking page and vastly simplify things.
What do you think @DanSchaper @jacob.salmela ?

DanSchaper · May 20, 2018, 9:32am

NXDOMAIN isn't the proper response for that kind of set up, but I get what you are going for and with the right technical implementation, yes it would work. Clients would receive the message that there is no AAAA record and would fall back to the A result and use that IP for the transit. I'm in favor of it, cleans things up!

DL6ER · May 20, 2018, 10:35am

Argh, I thought NODATA and wrote NXDOMAIN .... implementation and experimentation ongoing.

DL6ER · May 20, 2018, 3:04pm

Pull request opened (pending review of another one):

github.com/pi-hole/FTL

New blocking mode: IP-NODATA-AAAA

pi-hole:development ← pi-hole:new/IP-NODATA-AAAA-blocking

opened 11:43AM - 20 May 18 UTC

DL6ER

+8 -2

**By submitting this pull request, I confirm the following (please check boxes, …eg [X]) _Failure to fill the template will close your PR_:** ***Please submit all pull requests against the `development` branch. Failure to do so will delay or deny your request*** - [X] I have read and understood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md). - [X] I have checked that [another pull request](https://github.com/pi-hole/FTL/pulls) for this purpose does not exist. - [X] I have considered, and confirmed that this submission will be valuable to others. - [X] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [X] I give this submission freely, and claim no ownership to its content. **How familiar are you with the codebase?:** _{replace this text with a number from 1 to 10, with 1 being not familiar, and 10 being very familiar}_ --- ** To be reviewed only after #288 has been merged to `development` to ease reviewing (it contains code from #288 ) ** This PR adds a new blocking mode that will return Pi-holes IPv4 for `A` requests but `NODATA` for `AAAA` requests. This should resolve a number of problems in system without fixed GUA or ULA addresses and may actually get the standard for Pi-hole blocking (instead of blocking mode `IP` handing out both IPv4 and IPv6 addresses for blocked queries). ``` dig A doubleclick.net ; <<>> DiG 9.10.3-P4-Ubuntu <<>> A doubleclick.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38498 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;doubleclick.net. IN A ;; ANSWER SECTION: doubleclick.net. 2 IN A 192.168.2.11 ;; Query time: 3 msec ;; SERVER: 192.168.2.10#53(192.168.2.10) ;; WHEN: Sun May 20 12:49:34 CEST 2018 ;; MSG SIZE rcvd: 60 ``` ``` dig AAAA doubleclick.net ; <<>> DiG 9.10.3-P4-Ubuntu <<>> AAAA doubleclick.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24051 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;doubleclick.net. IN AAAA ;; Query time: 3 msec ;; SERVER: 192.168.2.10#53(192.168.2.10) ;; WHEN: Sun May 20 12:49:32 CEST 2018 ;; MSG SIZE rcvd: 44 ``` _This template was created based on the work of [`udemy-dl`](https://github.com/nishad/udemy-dl/blob/master/LICENSE)._