Pi-hole is detecting very few queries. IPv6 related?

Help
1

Pi-hole community,

Pi-hole is successfully running on a Raspberry Pi 4.
My router is the Arris SBG7400AC2.

It appears to me that the total queries on the pi-hole are relatively low given my household and the fact that I work from home. Also, most sites for testing the pi-hole's ad-blocking do not seem to work (ads are present). This has led me on a hunt to figure out what the issue may be.

It is my belief that queries are circumventing the pi-hole by utilizing IPv6 when the pi-hole is only configured to block IPv4.

After reading many, many, many, many, forums on IPv6 and pi-hole..... it seems that the most widespread solution is to disable it. However, my router cannot disable IPv6 nor can it distribute ULA addresses (2nd most popular solution). So, I am not sure how to utilize pi-hole effectively on my network. I am seeking a solution other than "buy a new router."

Using my router, I was able to assign a static IPv4 address to my Pi-hole. Then, I overrode the default DNS server IP to be the static one from by pi-hole. This was a success... all devices on my network pull the pi-hole IP for IPv4 DNS. However, the IPv6 is the ISP provided one (at least I think it is ISP provided). The router does have DNS override capability for IPv6, but I am not sure if that is the best solution.

A quick word on that: running ifconfig eth0 yields an inet6 fe80:xxx local-link and inet6 2601:xxx global. From what I read online, it is unwise to set either as the DNS IPv6 override and unwise to set the 2601 as static. BUT I can confirm that both the IPv4 and the 2601 IPv6 address do block sites from the block list when expliclty testing them (the fe80 fails to connect and times out). See below.

username@Mac ~ % nslookup flurry.com 192.xxx

Server: 192.xxx

Address: 192.xxx#53

Name: flurry.com

Address: 0.0.0.0

username@Mac ~ % nslookup flurry.com 2601:xxx

Server: 2601:xxx

Address: 2601:xxx#53

Name: flurry.com

Address: 0.0.0.0

username@Mac ~ % nslookup flurry.com fe80::xxx

;; connection timed out; no servers could be reached

I have spent countless hours scouring the forums here and for my router with little success. I think the only solution is to statically set my IPv6 to 2601, but many people caution against it. I have not done this on the router. I have only explicitly tried it with nslookup. Does anyone have advice on the best way to capture all internet traffic with the pi-hole?

Thank you for your time,
P1NECO

P.S. I did not place full IP addresses here for security concerns. I am not sure if they are security concerns, but better safe than sorry.

Debug Token:

https://tricorder.pi-hole.net/HunIqwPD/

2

Your client use the advertised IPv6 DNS from your router. If your router advertises itself as that then your clients won’t use pi-hole.

Change the IPv6 DNS to your pi-holes ip.

3

If your router is advertising its own IPv6 address as DNS server, then that would allow your IPv6 clients to by-pass Pi-hole.

You'd have to find a way to configure your router to stop advertising its own IPv6 as DNS server altogether, or to advertise your Pi-hole host machine's IPv6.

If that's not possible, you could also try to configure your router's upstream DNS servers to point to Pi-hole in a similar fashion, i.e. have your router use only IPv4 upstreams, or use Pi-hole's IPv6.
The DNS resolution chain would then become:
IPv6 client -> router's IPv6 -> Pi-hole IPv4 (or IPv6) -> Pi-hole's upstream DNS server

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether, provided you'd not depend on IPv6 for reasons.

If your router doesn't support that either, your IPv6-capable clients will always be able to bypass Pi-hole via IPv6.

4

Here is a screenshot of my router's IPv6 settings.

image
image698×712 41.1 KB

What I think should be done:

  1. Enable DNS Override
  2. Set the Primary DNS server IP to the pi-hole 2601:xxx address
  3. Set the Secondary DNS server IP to :: (aka nothing)

Thoughts?

What are the security implications?
Is it wise for the pi-hole global-link 2601: IPv6 address to be set as the Primary DNS IP?

Thanks,
P1NECO

5

I can't comment on any router settings.

In particular, I cannot speculate whether your settings would apply to DHCPv6 only (which most current client OSs won't use) and/or advertising a local DNS server via NDP/SLAAC/RA/RDNSS (which is what most clients would use for IPv6 network configuration).

As said:

Concerning your planned steps:

Before you engage in propagating an IPv6 address as DNS server, you should probably try to not advertise an IPv6 for DNS at all:

:: in both (or all) places may work to that effect, if your router accepts them, but it may also prompt your router to advertise ist defaults, or have IPv6 clients time-out on lookups via IPv6 before falling back to IPv4, potentially slowing down client resolution.
You'd have to try out if that works.

If you provide your Pi-hole machine's IPv6, avoid using the GUA, as ist not stable and likely to change, e.g. after router restarts or on regular ISP IPv6 prefix changes.

6

For anyone who may have the same concerns and find this post in the future....

I overrode the IPv6 DNS and placed :: in the primary, secondary, and tertiary server IP address boxes. This did NOT work. My router still distributed the default ISP address to all clients, and IPv6 traffic circumvented the pi-hole.

I ended up placing the 2601 global-link IPv6 address of the pi-hole as the "Primary DNS Server IP" and left the secondary and tertiary IP addresses as ::.

This worked!

I was able to power cycle my Pi and confirm that it was not given a new global-link address. BUT we will see what happens when the ISP decides to distribute a new IPv6 address... that remains to be seen.

This is temporarily solved. All IPv4 and IPv6 traffic is blocked (according to my block lists) on all devices on my network for now. I will watch for changes from my ISP and update this forum if it is not closed when that happens.

Cheers,
P1NECO

7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.