Merging IPv4 and IPv6 DNS lookups for a given client

All my devices are making DNS lookups via IPv4 and IPv6. They show up as two separate clients in Pi-hole, as it does not merge them together.

IMG_25111179×2556 207 KB

Is there a way around this problem. I don’t use Pi-Hole as DHCP server (devices are connected to Pi-Hole host via a wireguard tunnel). I’ve already modified /etc/hosts and gave a common hostname to both static IPv4 and IPv6 of any given client (these ip addresses were assigned to each client by wireguard, when they were added
to wireguard tunnel).

Thanks for reading.

We have something called alias clients which need to be configured manually. You can search the forum for how to set them up. However, they will only affect the dashboard view, no other place in the web interface.

I checked this thread on alias client

So, if you are connecting to Pi-Hole via VPN and clients don’t have macaddress, then, as I quote,

I thought it may be a good idea to generalize the super-clients. So far, super-clients were set by using a MAC address as identifier. This is a limitation as you may have a device with:

• more than one MAC address (e.g., Ethernet and WiFi interface)
• devices without a MAC address being available (e.g., connected through VPN or on another VLAN)

So, if I’m reading it right, you need to checkout an alternate FTL branch, before one can ever even tweak/add super-clients

This was posted in late 2020. I wonder if you can add super-client without checking out the FTL branch, as mentioned in that thread message.

There should be no need to check out a specific branch - this code was merged a long time ago.

This limitation still applies.

So, is there a way/workaround this?

Unfortunately not.

I have a question - suppose that I disable IPv6 routing through my VPN network, so that Pi-Hole only gets DNS queries via IPv4. Would I've an IP leak if I disabled IPv6 routing on VPN level?

If you enables IPv6 on your network but only route IPv4 via the tunnel, every device which send DNS queries via IPv6 will not take the route through the tunnel and "leak".

Thanks.

I’ve a question: What could be done to counter this limitation? Is there anything that I, as a user, can contribute to workaround this?

There's a growing user base of people hosting Pi-Hole on a cloud instance (or RPi; For example: repo 1 and repo 2) and then using Wireguard to have their own PiVPN. I think the option to merge clients' IPv4 and IPv6 routed DNS queries - via VPN network, would greatly benefit users who use PiVPN or use OpenVPN/Wireguard to SSH into their own network.

Screenshot 2023-06-06 at 9.46.51 AM2872×2062 597 KB

Since I'm connected via Wireguard to my Pi-Hole server, the hardware address in network table shows up as N/A. I'm wondering if we can add unique identifier column to this network table, and then assign a common unique identifier to both IPv4 and IPv6 routed DNS queries of device say S9 and then add an option in Dashboard to give an overview based on unique identifier string. Do you think something like this is possible/feasible?

Possible: yes. Feasible: no.

It's possible for sure, but you need someone to code this. Currently, all our developer resources go into Pi-hole v6 where such a feature is not planed. It's hard to estimate how much time (including a public beta phase and all the things that can happen in life) we will need to release v6 but I estimate 6+ months. But we are always open to external contributions.

Two questions,

1. What kind of background is needed to contribute to Pi-Hole’s development?

2. Is there a way to add a feature request for one of the future Pi-Hole releases?

Ad 1.

That is a broad question.

In general, you'd need some experience for just the bits of artifacts you intend to improve. That could be any of the languages used (including e.g. C, Shell, PHP, JS, Docker, Markdown, to name a few), but depending on the actual change, you certainly don't need to be an expert in any of those.
I guess anyone could correct a spelling mistake.
However, a common requirement would be familiarity with handling GitHub, or willingness to learn that.
(That can be daunting at first, but our developer's have been observed guiding first-time contributors towards acceptance of their pull requests on occasions. )

For the specific feature you request, I'd guess that would touch quite a few elements (new UI elements, database extensions, shell scripts, perhaps even C for pihole-FTL), so it would require more of an extensive set of skills, and certainly a thorough understanding of the existing codebase.

Ad 2.
Just open a new Topic in the Feature Requests category.
Note that you'd need a certain Discord trust level to do so.

FRs are not tied to specific releases.
Any FR may be considered for any release, given interest, time and opportunity to implement it.

Do you want this topic to be converted to a Feature Request?

For the specific feature you request, I'd guess that would touch quite a few elements (new UI elements, database extensions, shell scripts, perhaps even C for pihole-FTL)

That's doable, considering I did dabble here and there with shell scripting, to begin with.

certainly a thorough understanding of the existing codebase.

Could you please point out any resource/documentation to understand how Pi-Hole works, as a starting point, I would like to spend my spare time during weekends to delve into this topic.

Just open a new Topic in the Feature Requests category.
Note that you'd need a certain Discord trust level to do so.
Do you want this topic to be converted to a Feature Request?

If this topic can be converted into feature request, considering I don't have the discord trust level, it would be much appreciated.

Thanks.

Sounds good - we'd be happy to review your submission.

However, as yubiuser has mentioned, you should be aware that we are moving towards Pi-hole v6, which will introduce some major changes, including the way how UI is rendered (it won't be PHP anymore, nor will lighttpd a dependency requirement).
Also, it seems that your request could be addressed via different implementation alternatives, so it may well be worth some prior discussion (which the developers would likely have more time to spend on once v6 is out).

You may want to consider to stall your effort until v6 is released.
(Would be a pity of you'd created a full blown PHP UI that Pi-hole v6 wouldn't package anymore, wouldn't it?)

In the meantime, I've converted your topic into a FR.

I fear there is no single point of resource/documentation. I guess you already found our documentation at https://docs.pi-hole.net/?
However, the underlying code is more complex. We have the central C-Binary FTL which does all the DNS resolution and group management. It includes the dnsmasq core. The FTL repo is at GitHub - pi-hole/FTL: The Pi-hole FTL engine.
We webinterface is located at GitHub - pi-hole/web: Pi-hole Dashboard for stats and more.
Both are glued together via bash scripts - they scripts provide the installer and the pihole command including all subcommands. Located at GitHub - pi-hole/pi-hole: A black hole for Internet advertisements

What you want is already possible!

There is a misunderstanding here (see past tense in the "so far, ..." sentence) and what follows immediately afterwards in the same post you are quoting here:

All your VPN clients have been given an entry in the network table with a "mock-MAC" used by FTL to treat IP-only devices as it they were known by their hardware address (this relies on a certain stability of the IP<->client relation which is most often given in VPNs).

The rest of the quoted post gives an example how to do this, you can use that without the extra checkout step. The hardware address for your Wireguard devices will be the IP, prefixed by ip-, so, e.g.,

ip-10.66.66.57

or

ip-fd42:42:42::57

So, as of this writing, my FTL version is 5.23

network table has an extra column at the end: alias client_id (referencing the aliasclient table's IDs). I'm gonna write down all the steps, for anyone else in future, who might stumble upon this issue, and wanna figure a way around it.

Load up the pihole-FTL database

sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db

Now, you can run .tables command, and it should return you the following,

Screenshot 2023-06-10 at 12.21.14 AM1464×152 31.4 KB

For our solution, we are gonna focus on two tables, namely network and aliasclient. To see the content of network table, we are gonna use the following command,

.mode column
.headers ON
SELECT * FROM network;

This, for example, gave me client details on my Pi-Hole network, as follows,

Screenshot 2023-06-10 at 12 (1).34.17 AM1879×582 171 KB

A device, say an iphone, has been assigned 10.66.66.62 IPv4 and fd42:42:42::62 IPv6 address on a VPN network (in my case Wireguard). @DL6ER pointed out that since this iphone is connected to VPN network with only IPv4 and IPv6 assignment, it's been given a mock-MAC by FTL, which in case is ip-10.66.66.62 and ip-fd42:42:42::62.

So, what we gotta do is assign each of these devices i.e. iphone with mock-MACK address ip-10.66.66.62 and ip-fd42:42:42::62 a common identifier, which will reside in the column aliasclient_id.

Before we can even give a common value aliasclient_id for ip-10.66.66.62 and ip-fd42:42:42::62, we need to first declare it in the table aliasclient. So, in my case, I'll be choosing value 0 as aliasclient_id. This would be declared in aliasclient table as follows,

INSERT INTO aliasclient (id,name,comment) VALUES (0,'iphone',NULL);

Now that I've declared 0 as aliasclient_id for my device iphone, I'm gonna use it in the network table,

UPDATE network SET aliasclient_id = 0 WHERE hwaddr = 'ip-10.66.66.62';
UPDATE network SET aliasclient_id = 0 WHERE hwaddr = 'ip-fd42:42:42::62';

Screenshot 2023-06-10 at 1.21.03 AM1886×546 141 KB

This is from the Pi-hole dashboard,

Screenshot 2023-06-10 at 1 (1).24.32 AM990×800 31.7 KB

So, why does it still have two entries for device/client iphone?

Well, you wanna ask FTL to import the new aliasclient(s),

sudo pkill -RTMIN+3 pihole-FTL

And now, the dashboard looks like this,

Screenshot 2023-06-10 at 1 (1).28.07 AM1004×716 27.9 KB

You need to repeat this every ever pair of IPv4 and IPv6 mock-MAC assigned for a given device/client in your network table (ensuring that the aliasclient_id is declared in aliasclient table).

On a side-note, there's a bug. Even after assigning aliasclient_id to a single device have two distinct IPv4 and IPv6 mock-MAC, when you click on the new aliasclient (context - this example) on dashboard, it does perform the following query,

http://pi.hole/admin/queries.php?client=aliasclient-0&type=blocked

But that leads to an empty list,

Screenshot 2023-06-10 at 1.59.03 AM2038×1634 199 KB

Is this a bug?

There is no need to install it. Pi-hole has a built-in sqlite support via

pihole-FTL sqlite3

Kind of. I guess there were no recent queries (as in: within the last 100 queries Pi-hole received) queries made by this client. It's the same as in Query log shows less than 100 entries when only blocked/permitted queries are shown · Issue #2535 · pi-hole/web · GitHub

But there is a real cosmetic bug: "blocked" is doubled within the header

I saw you edited your comment, but the correct command need the database file:

sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db