Local IPv4 DNS records also resolving WAN IPv6 addresses - is this by design?

Hi all,
I recently enabled IPv6 on my network at home and I am having strange issues with PiHole that I feel should not happen.

Current Setup

I have a bog-standard PiHole install running on Ubuntu installed via the one liner bash script.
I am using Split DNS to ensure my traffic is local for a system that I host externally-facing via Cloudflare at home.

Expected Behaviour:

When I attempt to nslookup my.domain.name I expect PiHole to only respond with the IPv4 address that I have configured for it in the Local DNS section in the admin interface.

Actual Behaviour:

When I attempt to nslookup my.domain.name, both the WAN IPv6 IP addresses and the Local DNS IPv4 addresses are sent back to the client - Windows in my case seems to prioritize IPv6 over IPv4 thus I attempt to connect to my locally hosted website via the WAN and Cloudflare.

Debug Log

https://tricorder.pi-hole.net/Gtpd2UXo/

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Apologies, I have modified the original post to contain the log.

If it helps while looking through the log, the domain in question is cloud.agngaming.com

NSlookup Results:

> cloud.agngaming.com
Server:  pi.hole
Address:  172.16.0.35

Name:    cloud.agngaming.com
Addresses:  2a06:98c1:3121::7
          2a06:98c1:3120::7
          172.16.0.150

Depending on your OS's configuration, nslookup may issue several DNS requests for a given domain, to retrieve A and AAAA records for the plain domain as well as for the domain extended by our local search domain.

If you watch your Pi-hole's Query Log, I'd expect you to see at least as many as four separate DNS queries when you issue your nslookup.

When Pi-hole receives a DNS request, it will check whether to block or allow it, and if allowed, it will check whether it may know the domain itself (either by virtue of its cache or by local DNS definitions), and if it doesn't, it will forward the DNS request upstream.

Now in your case, your debug log shows you've only configured IPv4 addresses for the domain in question.
So while Pi-hole will answer an A request from your local definitions, your lack of configuring an IPv6 address for that domain will prompt Pi-hole to correctly forward a respective AAAA request to its upstreams.

If you want to shadow the IPv6 address as well, you could simply add the respective private IPv6 addresses (fd00::/8 ULAs or fe80::/10 link-locals) of your 172.16.0.150 machine for your domain. If you have trouble using ULAs or link-locals, you could also use the :: non-routable meta-address instead.

Since I note that you have quite a few local DNS definitions in place, you may also consider to block IPv6 queries for those.

You could do so by adding wildcard (tick!) domain filters for your domains agndomain.home;querytype=AAAA and agngaming.com;querytype=AAAA via Group Management | Domains if you really could do without IPv6 for them.
Note carefully that the latter, public domain may result in overblocking for IPv6. In that case, if you have to be more specific, you should prefer to just create the local DNS IPv6 records.

I also noticed that one of your domains ends in .local.
Note that *.local FQDNs are reserved for usage by the mDNS protocol and should not be used with DNS.

Hi Bucking_Horn.
Thank you for the in depth response, I now have a better understanding of how this system operates.

I have added the :: approach for now, as these are Rancher nodes using MetalLB it doesnt support IPv6 quite yet in my setup.

Thanks again for your help

ps
I have also removed the .local address, I guess I forgot to remove it when i renamed all of my domains to .home after finding out about not using .local - ty for spotting that.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.