Pi-Hole and IPV6 - How to make it work?

Hello, Im using Pi-Hole with IPV4, recently I discovered my router (Edgerouter PoE) support IPV6, my ISP have a block of 2804:e0:500::/48 and it sends me 2804:e0:500:XXX../64 Dynamic (XXX change every few weeks) , I used DHCPv6 Prefix Delegation to send /56 inside my network with SLAAC, after that my devices inside the network started to receive the DNS IPV6 of google DNS 2001:4860:4860::8888 and 2001:4860:4860::8844 (my ISP uses google DNS) together with my PI-Hole IPV4 address and the secondary IPV4 address (my router) for DNS.

Pi Hole DHCP ipv4/ipv6 is disabled and my router is doing all the work.

Now I want to replace the Google IPV6 address with my Pi-Hole IPV6 address to resolve IPV6 DNS requests.

Looking into several threads seems like its almost impossible to make it work, some options:

1. Using Pi Hole IPV6 GUA (Global Unicast Address) for DNS -> Not a good option since my ISP is Dynamic and every time it changes I will need to update the DNS every device is receiving in router(Pi Hole IP).

2. Using Pi Hole IPV6 ULA (Unique Local Address) for DNS -> Not a option since my router dont have a option to create ULA and send to the network.

3. Using Pi Hole IPV6 LLA (Link Local Address) for DNS -> Since in theory its static its a good option, I tried and didnt seems to work, maybe LLA only works in some situations and not for DNS requests?

If anyone can help me in how to make IPV6 DNS works I will be very happy, many thanks!

Also, what I need exactly to make IPV6 work on Pi-Hole? I just need to send his IPV6 address via DNS (like IPV4) and set some Upstream IPV6 address or some other changes?

Nothing, as far as Pi-hole's DNS operation is concerned.
If the Pi-hole host machine has acquired IPv6 addresses, Pi-hole would answer DNS requests arriving from clients via IPv6 as well as IPv4. Whether a host does or does not have IPv6 connectivity depends on the host's machine OS configuration, not on Pi-hole's.

Any secondary DNS resolvers, and your clients may by-pass Pi-hole via those secondaries at their own discretion.
Pi-hole has to be the sole DNS resolver for your network.

Note that if your router wouldn't allow changing its advertised IPv6 DNS server address, your clients would be able to by-pass Pi-hole via that IPv6. In that case, your only option to avoid such by-passes would be to disable IPv6 altogether.

But let's assume you can change or disable it:
DNS is ignorant towards the transport protocol, i.e. it is designed to provide the same answers regardless wether a client sends a request via IPv4 or IPv6.
This means that even with public IPv6 connectivity, there is no need to provide an IPv6 address as a local DNS resolver at all, as long as clients are IPv4-capable.

If you can configure your router to NOT distribute an IPv6 address at all as DNS server (i.e, neither Stateful or Stateless DHCPv6 nor SLAAC/NDP/RA/RDNSS), then all your clients would have to use their IPv4 address when sending DNS requests to your Pi-hole host's IPv4 address. Since the vast majority of client OSs are dual-stack or IPv4-only (in fact, I am not aware of a device that can't handle IPv4 by default), I'd personally go for NOT distributing/advertising an IPv6 address as DNS resolver - if that's possible with your router.
That way, your internal private traffic would stay IPv4.

This would also avoid the hassle of having to deal with changing IPv6 addresses in your Pi-hole's Query Log, making it way easier to identify client IPs. Note that with IPv6, both the prefix as well as the interface identifiers are designed to change (e.g. IPv6 Privacy Extensions).

If your router would only alllow to change the IPv6 DNS server address, I'd try to avoid GUAs (2000::/3 range).
Since your router doesn't support ULAs (fd00::/8 range), you could try to use a LLAs address (range fe80::/10).
As you already noted, that will only work under a certain precondition: link-locals are non-routable, i.e they are only accessible by other devices on the same link/network segment.
In layman's terms, that would mean all devies directly connected to your router via wifi or cable in a standard home usage scenario.
But any L3 switching network contraption that splits the network into multiple links (additional routers, VLANs, certain managed/smart switches or access points), and clients on those other links wouldn't be able to communicate with Pi-hole's via its LLA.

First, many thanks for your help.

I already disabled the secondary DNS server, thanks for the tip.

There is a option called "no-dns" in the interface of my LAN, according to the description "Option to not use the DNS server from the DHCPv6 server" it seems to "disabled" the DNS propagation in the interface since this DHCPv6 server is my ISP, right? (since Im using SLAAC without DHCPv6 server locally), so no IPV6 DNS for my LAN I think, with this option.

In theory I can force SLAAC to send Pi-Hole LLA Address as DNS server? I mean, I dont know much about IPV6, its possible to send via this option: "Router Advert - Configure parameters for sending Router Advertisements (RAs)"? or I need to change SLAAC -> DHCPv6 and create my on DHCP to be able to send DNS server in the network?

If nothing works I will do what you said, just use IPV4 DNS and clients will use that for DNS.

Many thanks!

You should verify that SLAAC as well as Stateful and Stateless DHCPv6 are configured for the same IPv6 DNS.
It's usually safe to use only SLAAC nowadays, so you could also opt to disable DHCPv6 on your router and only go with SLAAC support.

But any speculations from my side about your specific router's behavior for specific options would be purely guess work.

You'd have to consult your router's documentation and support channels for details about its IPv6 configuration options.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.