Merging IPv4 and IPv6 DNS lookups for a given client

Gotcha. Corrected.

Kind of. I guess there were no recent queries (as in: within the last 100 queries Pi-hole received) queries made by this client. It's the same as in Query log shows less than 100 entries when only blocked/permitted queries are shown · Issue #2535 · pi-hole/AdminLTE · GitHub

---

But there is a real cosmetic bug: "blocked" is doubled within the header

Well, there were queries. It's just neither client=10.66.66.62 nor client=aliasclient-0 returns a null table. However, query log has retained all logs of DNS requests made by client iphone i.e. 10.66.66.62.

Screenshot 2023-06-10 at 2.41.10 AM1988×1622 416 KB

I'm running a similar configuration myself.
I have no issues with telling clients apart, but I've arrived their via different road.

For once, I am only propagating Pi-hole's IPv4 address as DNS resolver.
As clients are only aware of an IP4v4 DNS resolver, they'll send their DNS traffic via IPv4.

And for the Wireguard connection, PiVPN keeps track of wg client hostnames in /etc/pivpn/hosts.wireguard, using pivpn as a separate local domain (e.g. my iPhone.fritz.box is registered as iPhone.pivpn).

I personally wouldn't want those requests to be merged - I like that I can tell whether a device connected locally or via Wireguard by looking at the names.
But this is just my personal preference.

I saw you edited your comment, but the correct command need the database file:

Ah. I was running my commands straight up from /etc/pihole/ command. Now fixed it. Thanks for pointing it out!

As clients are only aware of an IP4v4 DNS resolver, they'll send their DNS traffic via IPv4.

So what happens when, let's say, an app makes IPv6 DNS queries? Don't you think there would be DNS leak, in the sense that IPv6 DNS queries would be resolved outside of Wireguard+PiHole Tunnel? Hope this makes sense.

Where would that app send its DNS query via IPv6?

My home network’s router has IPv6 routing disabled. However, WireGuard assigns both IPv4 and IPv6 addresses to its clients. Now, I checked my Pi-Hole dashboard (WireGuard + Pi-Hole) and found that there were IPv6 requests in the Query Log, even when my home network has IPv6 is disabled. This makes me conclude that at WireGuard’s client, there’s some sorta Tunnel like 6to4/6in4/6rd happening, to rush IPv6 packets via IPv4 route g vs is WireGuard.

My question is - what would happen to those IPv6 DNS requests? (since Pi-Hole is only configured as IPv4 DNS resolver)

How did you configure your Wireguard connection?

If you do configure a full IPv4/IPv6 tunnel wireguard tunnel, and an IPv6 DNS server along with it, clients would use it.
As you see IPv6 clients in your Pi-hole's log, that would imply that you did configure one of your Pi-hole's IPv6 addresses as DNS server.

Now, if you would not do so:

As client's are not aware of an IPv6 DNS server address, they would use the remaining IPv4 address for DNS.

Now, a malicious app could send DNS requests to some hard-coded IPv6 DNS servers.
Such misbehaviour would have to be addressed by other means than DNS, e.g. by the gateway's firewall (and of course, that would just as well be true for hard-coded IPv4 addresses).

How did you configure your Wireguard connection?

I used this

If you do configure a full IPv4/IPv6 tunnel wireguard tunnel, and an IPv6 DNS server along with it, clients would use it.

As far as I can tell, it isn't full tunnel. The Wireguard peers (and firewall rules) are configured to only forward DNS queries between peers and the server.

As you see IPv6 clients in your Pi-hole's log, that would imply that you did configure one of your Pi-hole's IPv6 addresses as DNS server.

Yes. Every peer's (i.e. client's) config file has their DNS servers set to server's IPv4 and IPv6 address.

As client's are not aware of an IPv6 DNS server address, they would use the remaining IPv4 address for DNS.

I think the clients are aware of server's IPv6 address. Unless Pi-Hole isn't configured to be used as DHCP server + workaround, there's no easy way for clients (let's say one of the clients is a smartphone, and there are two apps: one of the apps uses IPv6 routing i.e. backlinks and DNS requests made via this app is solely via IPv6, while the other app hasn't adopted IPv6 standard yet, which means all the DNS queries would be IPv4 in nature) ... ... ... between the DNS queries made by these two apps from the same client, both the Query Log and Dashboard would treat them as two different devices.

If one is not to use Pi-Hole as DHCP server, the only other way is this, which is a bit broken, but it still does the job.

On a side-note: I'm gonna try and answer my own question,

My question is - what would happen to those IPv6 DNS requests? (since Pi-Hole is only configured as IPv4 DNS resolver)

At least when my home router was configured as DHCP server, and I had both PPPoE IPv4 and IPv6 routing, even when the router's DHCP server was IPv4, all IPv6 DNS queries were forwarded to the DNS server configured for IPv4 (DHCP LAN settings). Maybe this might being some insight to others, who would be fumbling with a similar experience.

My usage of 'full' in 'full IPv4/IPv6 tunnel' refers to connectivity rather than routing.

If you would only configure an IPv4 tunnel, then your system may configure IPv6 connectivity as it sees fit, including acquiring an IPv6 DNS server address.
This may lead to IPv6 traffic by-passing Wireguard and thus Pi-hole.

If you configure a tunnel for full IPv4 and IPv6 connectivity, the Wireguard software would configure your system's DNS resolvers as provided by the wireguard connection configuration, for both IPv4 as well as IPv6.

Of course they are, as you've configured them to be.

If you abstain from configuring an IPv6 DNS resolver for Wireguard, but otherwise keep a full IPv4/IPv6 tunnel, then the OS would only be aware of an IPv4 DNS server address.
So in that configuration, even if some software somehow would try to send DNS requests via IPv6:

It is not been configured to use any IPv6 DNS servers by the network (i.e. your Wireguard VPN).

Consequently, all DNS requests your Pi-hole peer would see would originate from a client's IPv4 address.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.