Pi-Hole not resolving IP6 queries

Expected/Actual Behaviour:

These commands are run from the Pi Hole machine itself:

nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.3.174
 nslookup pi.hole
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   pi.hole
Address: 192.168.0.200

I would expect that the nslookup provided an IPv6 address as well.

The machine has an IPv6 address.

ifconfig | grep inet6
(standard input):3:        inet6 2604:3d09:6780:110c:2387:18d4:92f6:8f58  prefixlen 64  scopeid 0x0<global>
(standard input):4:        inet6 fe80::a24f:9a92:eb94:556f  prefixlen 64  scopeid 0x20<link>
(standard input):13:        inet6 ::1  prefixlen 128  scopeid 0x10<host>

I have IPv6 connectivity:

 ping6 google.com
PING google.com(sea15s11-in-x0e.1e100.net (2607:f8b0:400a:808::200e)) 56 data bytes
64 bytes from sea15s11-in-x0e.1e100.net (2607:f8b0:400a:808::200e): icmp_seq=1 ttl=56 time=34.9 ms
64 bytes from sea15s11-in-x0e.1e100.net (2607:f8b0:400a:808::200e): icmp_seq=2 ttl=56 time=27.3 ms

From a different machine (Windows 10):

PS C:\WINDOWS\system32> nslookup pi.hole
Server:  myispdns
Address:  mypublicip6

Non-authoritative answer:
Name:    pi.hole.myddnsname
Address:  mypublicip4
PS C:\WINDOWS\system32> nslookup google.com
Server:  myispdns
Address:  mypublicip6

Non-authoritative answer:
Name:    google.com.myddnsname
Address:  mypublicip4

From another Raspberry Pi:

nslookup pi.hole
Server:         192.168.0.200
Address:        192.168.0.200#53

Name:   pi.hole
Address: 192.168.0.200
nslookup google.com
Server:         192.168.0.200
Address:        192.168.0.200#53

Non-authoritative answer:
Name:   google.com
Address: 216.58.217.46

From my Ubuntu machine:

 nslookup google.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.14.206
Name:   google.com
Address: 2607:f8b0:400a:808::200e
nslookup pi.hole
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   pi.hole
Address: 192.168.0.200
Name:   pi.hole
Address: 2604:3d09:677f:d5e6:ee63:1827:6ee9:b8e9

01-pihole.conf:

addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list


localise-queries


no-resolv



cache-size=10000

log-queries
log-facility=/var/log/pihole.log

local-ttl=2

log-async

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
server=1.1.1.1
server=1.0.0.1
server=2606:4700:4700::1111
server=2606:4700:4700::1001
domain-needed
bogus-priv
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

local-service

02-pihole-dhcp.conf:

dhcp-authoritative
dhcp-range=192.168.0.10,192.168.0.190,12h
dhcp-option=option:router,192.168.0.1
dhcp-leasefile=/etc/pihole/dhcp.leases
#quiet-dhcp

domain=ackis.duckdns.org
dhcp-rapid-commit
#quiet-dhcp6
#enable-ra
dhcp-option=option6:dns-server,[::]
dhcp-range=::100,::1ff,constructor:eth0,ra-names,slaac,12h
ra-param=*,0,0

04-pihole-static-dhcp.conf

# DHCP Address Reservations

# PC Address Range: 10 - 20
dhcp-host=78:24:AF:D9:D6:B5,192.168.0.10,john
dhcp-host=78:24:AF:47:7F:73,192.168.0.12,john2
dhcp-host=5C:87:9C:0A:15:13,192.168.0.13,johnwifi

dhcp-host=78:24:af:47:81:71,192.168.0.11,chantelle

# Ad hoc DHCP Range: 21-40

# Routers

# Printers
dhcp-host=2C:9E:FC:5C:A2:A9,192.168.0.101,mf4890
dhcp-host=80:3F:5D:08:E0:2A,192.168.0.102,usbprint

# Media Devices
dhcp-host=00:18:DD:05:31:BA,192.168.0.104,hdhrextend
dhcp-host=9C:AD:EF:60:06:C5,192.168.0.105,obi200
dhcp-host=00:05:cd:90:b4:db,192.168.0.106,denon

# IP Cams

# Monoprice Cam
dhcp-host=00:1B:C7:02:1B:4F,192.168.0.150,ipcam1
dhcp-host=00:1B:C7:FF:D2:79,192.168.0.151,ipcam1wifi

# D-Link Cam - Living Room
dhcp-host=B0:C5:54:14:D4:60,192.168.0.152,ipcam2
#,192.168.0.153,ipcam2wifi

# D-Link Cam - Kitchen
dhcp-host=B0:C5:54:1F:37:DC,192.168.0.154,ipcam3
#dhcp-host=,192.168.0.155,ipcam3wifi

# Servers
dhcp-host=30:9C:23:B6:12:39,192.168.0.199,ubuntu
dhcp-host=b8:27:eb:09:6f:0c,192.168.0.200,dns-pi
dhcp-host=b8:27:eb:7a:de:4b,192.168.0.201,vpn-pi

This file contains various options that the Pi Hole admin console doesn't support that I had enabled in DNSMASQ when I ran it solo.
99-custom-dnsmasq.conf:

# Configuration file for dnsmasq.

# Only queries for private domain are answered by Dnsmasq
local=/dyndns/
local=/.local/
local=//

#listen-address=192.168.0.200
#listen-address=::

# Only listen on the addresses specified with list-address
#bind-interfaces

#no-hosts

dhcp-option=option:dns-server,192.168.0.200
#dhcp-option=option6:dns-server,[::]

dhcp-option=option:ntp-server,192.168.0.199

# Windows/Samba suggestions from default configuration
dhcp-option=option:ip-forward-enable,0
dhcp-option=option:netbios-ns,192.168.0.199
dhcp-option=option:netbios-dd,192.168.0.199
dhcp-option=option:netbios-nodetype,8
dhcp-option=vendor:MSFT,2,1i

#bogus-nxdomain=64.94.110.11

#mx-host=mail.dyndns,30
#txt-record=home.dyndns,"v=spf1 mx -all"

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries

# Log lots of extra information about DHCP transactions.
#log-dhcp

99-custom-server-names.conf

# LAN Name Resolution
address=/.local/192.168.0.199/
address=/.dev/192.168.0.199/
address=/ubuntu/192.168.0.199/
address=/dns-pi/192.168.0.200/

# Web servers
address=/home.dyndns/192.168.0.199
address=/home.local/192.168.0.199
address=/home/192.168.0.199

address=/dyndns/192.168.0.199

# Media Streaming Related
address=/hdhr3.local/192.168.0.103
address=/hdhr3/192.168.0.103

address=/hdhrextend.local/192.168.0.104
address=/hdhrextend/192.168.0.104

address=/obi200.local/192.168.0.105
address=/obi200/192.168.0.105

address=/denon.local/192.168.0.106
address=/denon/192.168.0.106

# LAN Servers
address=/mail.local/192.168.0.199
address=/mail.dyndns/192.168.0.199
address=/mail/192.168.0.199

address=/smtp.local/192.168.0.199
address=/smtp.dyndns/192.168.0.199
address=/smtp/192.168.0.199

address=/pihole.local/192.168.0.200
address=/pihole.dyndns/192.168.0.200
address=/pihole/192.168.0.200

Overall, I have no clue what I'm doing with IPv6 - I'm still in the IPv4 mindset where I need to have a private range to use. I don't know where the raspberry pi got its address from for example, nor if it's a "good" address to have.

Debug Token:

https://tricorder.pi-hole.net/zy24x7eknb

Does

nslookup -query=AAAA google.com

and

nslookup -query=AAAA pi.hole

return an IPv6 address?

1 Like

On the Pi Hole itself:

nslookup -query=AAAA google.com && nslookup -query=AAAA pi.hole
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
google.com      has AAAA address 2607:f8b0:400a:808::200e

Authoritative answers can be found from:

Server:         127.0.0.1
Address:        127.0.0.1#53

pi.hole has AAAA address 2604:3d09:677f:d5e6:ee63:1827:6ee9:b8e9

On the second Raspberry PI:

nslookup -query=AAAA google.com && nslookup -query=AAAA pi.hole
Server:         192.168.0.200
Address:        192.168.0.200#53

Non-authoritative answer:
google.com      has AAAA address 2607:f8b0:400a:808::200e

Authoritative answers can be found from:

Server:         192.168.0.200
Address:        192.168.0.200#53

pi.hole has AAAA address 2604:3d09:677f:d5e6:ee63:1827:6ee9:b8e9

On the WIndows machine:

nslookup -query=AAAA google.com
Server:  myispdns
Address:  mypublicip6

Non-authoritative answer:
Name:    google.com
Address:  2607:f8b0:400a:808::200e

nslookup -query=AAAA pi.hole
Server:  myispdns
Address:  mypublicip6

*** nsc3.ar.ed.shawcable.net can't find pi.hole: Non-existent domain

On the Ubuntu machine:

nslookup -query=AAAA google.com && nslookup -query=AAAA pi.hole
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   google.com
Address: 2607:f8b0:400a:804::200e

Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   pi.hole
Address: 2604:3d09:677f:d5e6:ee63:1827:6ee9:b8e9

Also of note (and expected based on the nslookup results) when IPv6 is enabled on the WIndows machine, I'm unable to access pi.hole/admin

That would be because your Windows machine is using your ISP as the DNS. To confirm please run ipconfig /all and check the listed DNS servers. There is no such thing as a primary and secondary DNS, every listed DNS server will be used.

I don't know where it would be getting that info from. Prior to using PiHole, I ran DNSMasq. My router has DHCP off, the ISP's router is in bridge mode.

Ethernet adapter Intel:

   Connection-specific DNS Suffix  . : dyndns
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I219-V
   Physical Address. . . . . . . . . : 78-24-AF-D9-D6-B5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2604:3d09:6780:110c:a078:4794:81d5:e06d(Preferred)
   Temporary IPv6 Address. . . . . . : 2604:3d09:6780:110c:a515:d4d2:8fad:5ba4(Preferred)
   Link-local IPv6 Address . . . . . : fe80::a078:4794:81d5:e06d%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : September 5, 2019 8:33:49 AM
   Lease Expires . . . . . . . . . . : September 5, 2019 11:32:44 PM
   Default Gateway . . . . . . . . . : fe80::a204:60ff:fe45:5ca9%9
                                       192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.200
   DHCPv6 IAID . . . . . . . . . . . : 108537007
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-91-2B-65-78-24-AF-47-7F-73
   DNS Servers . . . . . . . . . . . : 192.168.0.200
   Primary WINS Server . . . . . . . : 192.168.0.199
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Realtek:

   Connection-specific DNS Suffix  . : dyndns
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 78-24-AF-47-7F-73
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2604:3d09:6780:110c::1003(Preferred)
   Lease Obtained. . . . . . . . . . : September 5, 2019 8:33:44 AM
   Lease Expires . . . . . . . . . . : September 6, 2019 8:14:11 PM
   IPv6 Address. . . . . . . . . . . : 2604:3d09:6780:110c:f99e:8916:3129:7caf(Preferred)
   Temporary IPv6 Address. . . . . . : 2604:3d09:6780:110c:2d41:1f0b:877a:ea34(Preferred)
   Link-local IPv6 Address . . . . . : fe80::f99e:8916:3129:7caf%6(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.12(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : September 5, 2019 8:33:47 AM
   Lease Expires . . . . . . . . . . : September 5, 2019 8:33:46 PM
   Default Gateway . . . . . . . . . : fe80::a204:60ff:fe45:5ca9%6
                                       192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.200
   DHCPv6 IAID . . . . . . . . . . . : 175645871
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-91-2B-65-78-24-AF-47-7F-73
   DNS Servers . . . . . . . . . . . : 2001:4e8:0:4004::13
                                       2001:4e8:0:4019::13
                                       192.168.0.200
                                       2001:4e8:0:4004::13
                                       2001:4e8:0:4019::13
                                       2604:3d09:6780:110c:2387:18d4:92f6:8f58
   Primary WINS Server . . . . . . . : 192.168.0.199
   NetBIOS over Tcpip. . . . . . . . : Enabled

I've got one network card getting IPv6 DNS servers which are out of the blue, and one not getting any.

Those are GUA addresses which means they were assigned to you by the ISP. Double check your router(s) or modem(s) and see. My advice is to disable IPv6 across the entire network unless there is a specific use case that only works with IPv6.

1 Like

That's everyone's advice, and it doesn't help me learn how to use it. :slight_smile: Need to have it enabled to figure out how to actually use it.

Turns out my router has two sections for DNS servers - one for IPv4 which I have set up properly and then another tucked away in a back corner for IPv6.

What I've gone and done is on the second page settings for my router, I've disabled IPv6 completely - that'll block IPv6 from the internets which will let me focus on getting it working on my LAN. The Pi Hole still isn't handling it correctly though it seems.

nslookup -query=AAAA pi.hole
Server:  UnKnown
Address:  2001:4e8:0:4004::13

*** UnKnown can't find pi.hole: No response from server

My Windows machine isn't getting an IPv6 DNS server from the Pi Hole correctly for some reason.

Also, I added my dnsmasq config files to the original post.

This is the first wrong assumption. IPv6 address space is meant to be a global one. Unlike for IPv4, each device gets a world-wide unique address and ...

... is the issue here. IPv6 does not work like IPv4 in the sense that it is not centrally managed by a DHCP server but a protocol that is self-configuring.

To do this self-configuration, responsible devices (mainly your router and the Pi-hole) broadcast essential information. All the rest is done by the clients.

Let me sketch the process rather simplified:

  1. You add a device to the network. It starts listening.
  2. A router is a node that forwards IP packets not explicitly addressed to it. The router broadcasts in frequent intervals so called "router advertisements" (RAs). Clients can also request them using Router Solicitation (RS).
    These RA packets contain information about the prefix of the address to be used (like 2001:4e8:0:4004), it's own address (it is the gateway) and possible also some DNS server addresses.
  3. Your client takes all this information and generated itself a address it likes to use.
  4. It tests this address for uniqueness (keyword DAD - Duplicate Address Detection) and if nobody replies with "this address is already taken", it finishes the configuration and is ready.

Stateless address autoconfiguration is a new concept with IPv6.

1 Like

I just did that to basically firewall myself from the internet with respect to IPv6. The router is IPv6 "dumb" now, so nothing IPv6 is getting through. ping6 doesn't work now for example.

Thanks for the summary - I'm still stuck in the old ways with IPv4 and how that works. So there's no more neat looking subnets and whatnot anymore?

I guess my question right now is - why can't my Windows machine resolve pi.hole via IPv6?

I assume that you gave the answer yourself already

Looking at our output

your Windows machine tries to connect to your Pi-hole via the address 2001:4e8:0:4004::13 which does not work in your setup. Either your router really suppresses all IPv6 traffic in your network or this address might be outdated and the Pi-hole is not reachable there any longer.

  • Is this address shown when you call ip -6 a on your Pi-hole?
  • Is this address reachable when you call ping 2001:4e8:0:4004::13?

Why do you do this? I see no reason for isolating yourself in this way as it leaves you with an only partially working configuration. I'd find it much more complicated to learn how things work under such damaged conditions.

ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::a24f:9a92:eb94:556f/64 scope link
       valid_lft forever preferred_lft forever

No, like you said it was old.

ping 2001:4e8:0:4004::13
connect: Network is unreachable

After rebooting my Windows machine, I get this:

Ethernet adapter Intel:

   Connection-specific DNS Suffix  . : ackis.duckdns.org
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I219-V
   Physical Address. . . . . . . . . : 78-24-AF-D9-D6-B5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a078:4794:81d5:e06d%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : September 7, 2019 6:10:01 AM
   Lease Expires . . . . . . . . . . : September 7, 2019 6:10:01 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.200
   DHCPv6 IAID . . . . . . . . . . . : 108537007
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-91-2B-65-78-24-AF-47-7F-73
   DNS Servers . . . . . . . . . . . : 192.168.0.200
   Primary WINS Server . . . . . . . : 192.168.0.199
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Realtek:

   Connection-specific DNS Suffix  . : ackis.duckdns.org
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 78-24-AF-47-7F-73
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f99e:8916:3129:7caf%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.12(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : September 7, 2019 6:10:01 AM
   Lease Expires . . . . . . . . . . : September 7, 2019 6:10:00 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.200
   DHCPv6 IAID . . . . . . . . . . . : 175645871
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-91-2B-65-78-24-AF-47-7F-73
   DNS Servers . . . . . . . . . . . : 192.168.0.200
   Primary WINS Server . . . . . . . : 192.168.0.199
   NetBIOS over Tcpip. . . . . . . . : Enabled

Running nslookup, it using the IPv4 DNS server top get the IPv6 address. So my Pi Hole still isn't sending out an IPv6 DNS server address.

nslookup -query=AAAA pi.hole
Server:  dns-pi
Address:  192.168.0.200

Name:    pi.hole
Address:  2604:3d09:677f:d5e6:ee63:1827:6ee9:b8e9

I was getting DNS servers from my ISP on my Windows machine somehow and it was making me think IPv6 was working on my network when it wasn't.

I've gone ahead and updated my dhcpcd.conf and added a static IPv6 line in there and the IPv6 address top the DNS servers.

None of the devices (Pi-hole or Windows box) has IPv6 enabled. They have loopback and link local addresses.

Now I'm confused. I thought IPv6 was enabled on the Linux machines. On the Ubuntu machine I had it disabled by editing /etc/sysctl.conf and adding:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

On the Windows machine I just would uncheck the IPv6 box.

Do I need to manually specify an IP address in the fc00::/7 range for the Pi Hole then?

I'm assuming that since IPv6 is autoconfiguring once it detects an fc00::/7 address, everything else will configure around it, so I would just need to initially set my Pi Hole up with the static address?

If you want to internally use ULA space and I really can't think of any reason you would want to then you would need to see if the router allows for a ULA allocation on your local network. Or manually set addresses on your devices with that ULA allocation. Right now all you have are link local addresses.

Are you using Pi-hole as your DHCP server?

As I've mentioned, I'm in the dark here - I just want to do what's proper.

Yes. The config is posted in the original post if you need to see it.

As a few people have mentioned now, don't worry about IPv6. It's not going to gain you anything other than headache and frustration. You will not get access to any more or less of the internet and your speed will not be any faster or slower. Just disable it network wide and enjoy your time spent in more enjoyable endeavour.

1 Like

Figuring out IPv6 is enjoyable, I feel like I'm almost there. Maybe I'm not. shrug

This all started because content that was served over IPv6 wasn't getting blocked (e.g. stuff via my phone) which led me down this rabbit hole.

I don't mean to be discouraging, but a bit on my background and why I make the suggestion I do. I have a bachelors degree in network engineering, I've done 4 years at the Cisco networking academy and held advanced Cisco certifications. I wrote the initial IPv6 implementation for Pi-hole. Really, unless you need IPv6 for remote access to your network or servers located on your network, the protocol just hasn't been widely adopted. I think I can count less than a dozen services I've ever needed that were pure IPv6.

With IPv4 you have some protection on home networks as the ISP routers use NAT and only if you create a port forwarding does that NAT pierce. IPv6 gives every device a public address that identifies it. Your firewall becomes more complex as instead of every device having only private addresses and the router being the only device with a public address, now you have every device going direct. You've already seen how the ISP DNS server overrode what you intended for your devices. Add on to that the need to basically forget everything that you know about IPv4 for things like DHCP. Now you have DUIDs that change instead of MACs that are burned in. There's stateless configuration and stateful configuration, link addresses, internal addresses (take a look at the number of IPv6 addresses your interface had when it was getting a global address from the ISP). It's vastly more complex.

I applaud you for wanting to learn more and I wish more people were of that mindset but really just disable it on your local network until you have the time to really dig in to IPv6 and all the new concepts and ways.