Pi-hole not serving requests over IPv6 remotely

Freekers · May 7, 2018, 7:37pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

Pi-hole should serve DNS requests over IPv6 remotely

Actual Behaviour:

Pi-hole does not serve DNS requests over IPv6 remotely. However, it does serve DNS requests over IPv4 local and remotely as well as IPv6 requests locally.

By locally I mean that if I SSH into my Pi-hole and do a 'dig aaaa aaaa.v6ns.test-ipv6.com', it works. But if I execute the same command on a machine that uses my Pi-hole as DNS server and also is IPv6 enabled, the requests times out.
I have verified IPv6 connectivity on my test machine and it is working correctly; it gets a 9/10 of test-ipv6.com with as remark that the DNS server (pi-hole in this case) does not server requests over IPv6 hence my post

netstat -tulpn shows that dnsmasq is listening on both IPv4 as well as IPv6.
ufw has the proper rules enabled but even with ufw disabled remote IPv6 requests are not working
setupVars.conf contains the correct IPv6 address, i.e. the address that is also shown when typing 'ifconfig'.

Debug Token:

"There was an error uploading your debug log"
URL to log on Pastebin: https://pastebin.com/kKTCA0Rk

Thank you very much!

RamSet · May 7, 2018, 7:51pm

Are you aware that you defined your public facing IP as your Pi-hole IP (and your admin interface is accessible to the public)?
I see that random people are using your DNS server as theirs and most certainly they are turning you into a DNS reflection attack drone. Not a good idea to run it like that (Your ISP might have something to say to that at some point).

Is your DHCP server offering the IPV6 DNS server (of your Pi-hole) to your clients ?

Freekers · May 7, 2018, 8:07pm

Thanks for your quick reply.

Yes, I am aware that my Pi-hole is public facing. I have some protection in place against DNS amplification attacks and I monitor it almost every day (for the past year), it's a hobby project of mine. My VPS provider is okay with it and knows that I run an open DNS resolver.

Yes, my DHCP server offers my Pi-hole as IPv6 DNS server to my clients.

Kind regards.

DanSchaper · May 7, 2018, 8:13pm

Thanks, fan here of your DNS Amplification blog post. As for the Pi-hole, this comes up in that log and might be part of the issue, how is the routing performing on the Pi-hole, and are you able to manually ping the gateways from the terminal?

[i] Default IPv4 gateway: venet0
   * Pinging venet0...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)
 
[i] Default IPv6 gateway: venet0
   * Pinging venet0...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)

Freekers · May 7, 2018, 8:25pm

Thanks for your reply.

Why, thank you! I hope that wasn't sarcasm by the way

I'm able to manually ping the gateways from the terminal, although the IPv4 broadcast address for venet0 is '0.0.0.0' which is odd. But since IPv4 is working like it should, let's keep that aside for now. So yes, I can ping both gateways from the terminal.

Kind regards.

DanSchaper · May 7, 2018, 8:26pm

No sarcasm at all!

Can you try a traceroute6 from the Pi to client and client to Pi? Are they all on the same broadcast segment, or is there a router in the mix?

Freekers · May 7, 2018, 8:40pm

Great!

From Pi to client:

traceroute to 2a00:XXXX:66:11d:110:110:110:110 (2a00:XXXX:66:11d:110:110:110:110) from 2a00:1ca8:17:3c9::7384, 30 hops max, 24 byte packets
     1  2a00:1ca8:17::3 (2a00:1ca8:17::3)  0.119 ms  0.18 ms  0.587 ms
     2  2a00:1ca8:1::3e (2a00:1ca8:1::3e)  0.401 ms  0.37 ms *
     3  2a03:3f40::2:24 (2a03:3f40::2:24)  1.304 ms  8.176 ms  6.88 ms
     4  2a03:3f40::2:20 (2a03:3f40::2:20)  1.753 ms  1.827 ms  1.951 ms
     5  2a00:1ca8::2:18 (2a00:1ca8::2:18)  1.842 ms  2.235 ms  1.72 ms
     6  2a00:XXXX:0:1::379 (2a00:XXXX:0:1::379)  2.744 ms  4.07 ms  3.159 ms
     7  30ge.ar0-cr0.nikhef.ams.i3d.net (2a00:XXXX:1fff::10:1)  4.062 ms  3.988 ms  4.02 ms
     8  80ge.br2-cr0.smartdc.rtd.i3d.net (2a00:XXXX:1fff::2:4)  4.526 ms  4.364 ms  4.439 ms
     9  2a00:XXXX:66:11d:110:110:110:110 (2a00:XXXX:66:11d:110:110:110:110)  4.098 ms  4.874 ms  4.529 ms

From client to Pi:

Tracing route to pihole-nl [2a00:1ca8:17:3c9::7384]
    over a maximum of 30 hops:`

      1    15 ms    15 ms    22 ms  2a00:XXXX:66:11d:110:110:110:111
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.
      7     *        *        *     Request timed out.
      8     *        *        *     Request timed out.
      9     *        *        *     Request timed out.
     10    22 ms    19 ms    19 ms  pihole-nl [2a00:1ca8:17:3c9::7384]

No, they are not on the same broadcast segment. To make things even more complicated, I am accessing it via my OpenVPN setup on yet another machine. However, this online tool also shows that it is unable to resolve DNS requests over IPv6 using my Pi-hole: Dig web interface - online dns lookup tool

Thanks for your help so far! Due to timezone differences, I'll check back tomorrow.

Have a nice day

DanSchaper · May 7, 2018, 8:50pm

So connectivity looks like it works, next would be to check and see if you can even see port 53 from the client. So a telnet from client to Pi-hole:53 (or your preferred port checker) just to see if there is a problem getting the DNS to connect or if it's dropping the queries for some reason.

Freekers · May 8, 2018, 9:01am

Hi Dan,

Thanks for your reply.

I think you're onto something here. telnet IPv4 53 works, but telnet IPv6 53 times out
.
Upon taking a closer look I see that my IPv6 address is assigned to network interface 'venet0', wheras the IPv4 address is assigned to network interface 'venet0:0'.
However, Pi-hole is using network interface 'venet0' (as shown in the webinterface and defined in setupVars.conf), i.e. the interface that has the IPv6 address, yet the IPv6 address 'does not work' wheras the IPv4 address works like it should (albeit not being bound to the interface Pi-hole is setup to). I find this confusing.

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:432715 errors:0 dropped:0 overruns:0 frame:0
          TX packets:432715 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:34181425 (34.1 MB)  TX bytes:34181425 (34.1 MB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: 2a00:1ca8:17:3c9::7384/64 Scope:Global
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:1206803 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1055075 errors:0 dropped:7 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:450028980 (450.0 MB)  TX bytes:453211363 (453.2 MB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:185.147.34.122  P-t-P:185.147.34.122  Bcast:185.147.34.122  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

My firewall is set to allow port 53/udp ingoing and outgoing on both IPv4 as well as IPv6:

Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
53/udp                     ALLOW IN    Anywhere
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
53/udp (v6)                ALLOW IN    Anywhere (v6)
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

53/udp                     ALLOW OUT   Anywhere
80                         ALLOW OUT   Anywhere
443                        ALLOW OUT   Anywhere
123/udp                    ALLOW OUT   Anywhere
53/udp (v6)                ALLOW OUT   Anywhere (v6)
80 (v6)                    ALLOW OUT   Anywhere (v6)
443 (v6)                   ALLOW OUT   Anywhere (v6)
123/udp (v6)               ALLOW OUT   Anywhere (v6)

However, I noticed strange behavior when I temporarily disabled ufw to test whether or not it was being a firewall issue: When I disable ufw, I can no longer reach the Pi-hole webinterface. Firefox/Chrome/IE immediately stop resolving the interface with the error 'The connection was reset'. Other websites work fine and DNS resolving continues to work like it should over IPv4
I was unable to troubleshoot this; on the server side, nothing was being logged by either lighttpd nor Pi-hole itself. By the looks of it, it appears the requests never reach my Pi-hole. Now that I think of it, let me analyze the network traffic from the client to the Pi-hole using Wireshark to see if anything useful pops up there...

Kind regards

DanSchaper · May 8, 2018, 10:51pm

Thanks, it's quite a complex configuration, with the pseudo interface, but nothing really stands out to me as a good place to start digging. Let us know how the wire sniff works out and if there's anything that pops out from the packet inspection.

DanSchaper · May 8, 2018, 10:52pm

Another thing may be to set a IPTables chain with some tracing enabled to watch if that is where things are being dropped. I know raw IPtables is not the most friendly way to approach it, but if things come up okay on the traces then that may be a little more information to look over.

Freekers · May 11, 2018, 7:16pm

Hi @DanSchaper ,

This is a tough one to crack. I've spent the past hour trying to make some sense of the data I got from the Wireshark trace but I am a bit lost currently. I think there are multiple issues with my Pi-hole(s), so I'll try to seperate them. I apologize, in advance, for the wall of text.

DNS requests over IPv6 not working
This issue is rather 'interesting'. So according to test-ipv6.com and digwebinterface.com, my Pi-holes are not responding to IPv6 queries. However, if I do a nslookup ipv6.google.com my Pi-hole responds nicely:

C:\Users\Freek>nslookup ipv6.google.com
Server:  pihole-nl
Address:  2a00:1ca8:17:3c9::7384

Non-authoritative answer:
Name:    ipv6.l.google.com
Address:  2a00:1450:4001:81b::200e
Aliases:  ipv6.google.com

But if I run dig locally, the operation times out:

D:\Downloads\BIND9.12.1.x64>dig -t MX google.com

; <<>> DiG 9.12.1 <<>> -t MX google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

However, if I force/specify the resolver when using dig, the Pi-hole responds:

D:\Downloads\BIND9.12.1.x64>dig -t MX google.com @2a00:1ca8:17:3c9::7384

; <<>> DiG 9.12.1 <<>> -t MX google.com @2a00:1ca8:17:3c9::7384
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49229
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11

<Removed for readability>

;; Query time: 76 msec 
;; SERVER: 2a00:1ca8:17:3c9::7384#53(2a00:1ca8:17:3c9::7384)
;; WHEN: Fri May 11 17:23:27 West-Europa (zomertijd) 2018
;; MSG SIZE  rcvd: 367

I find this to be very confusing; why does remote dig not work and why does local dig only work when I force/specifically point it to my Pi-hole, even though it's setup as default DNS server within my connection?

The WireShark trace shows 'Destination Unreachable (Port unreachable)' multiple times for the ICMPv6 protocol, with the source being my Pihole and the destination being my PC, followed by a 'Packet too big'. I have no clue what to make of this to be honest: https://i.imgur.com/RpuNefb.png

Web-interface unreachable if ufw is disabled
This leaves me stumped. As soon as I disable ufw, the Pi-hole's webinterface does not load anymore. With ufw enabled, it works like it should.... Ufw has no rewrite rules so this should have nothing to do with reverse proxy stuff or anything related. Odd thing is that on the server side (Pi-hole) the lighttpd, ufw and/or Pi-hole logs show nothing relevant regarding a blocked/dropped/incoming connection or request.
However, the Wireshark trace shows a lot of re-transmissions answered by a connection reset after which eventually the browser gives up: https://i.imgur.com/V2qDaJb.png
Do you have any idea what could this be causing?

Very slow DNS resolution over IPv4
While troubleshooting the issues above, I encountered another issue. Apparantly DNS resolution over IPv4 is 18 times slower than over IPv6:

D:\Downloads\BIND9.12.1.x64>dig -t MX google.com @185.187.240.11

; <<>> DiG 9.12.1 <<>> -t MX google.com @185.187.240.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22394
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11

<Removed for readability>

;; Query time: 1371 msec <----------- <----------- <-----------
;; SERVER: 185.187.240.11#53(185.187.240.11)
;; WHEN: Fri May 11 17:23:06 West-Europa (zomertijd) 2018
;; MSG SIZE  rcvd: 367


D:\Downloads\BIND9.12.1.x64>dig -t MX google.com @2a00:1ca8:17:3c9::7384

; <<>> DiG 9.12.1 <<>> -t MX google.com @2a00:1ca8:17:3c9::7384
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49229
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11

<Removed for readability>

;; Query time: 76 msec <----------- <----------- <-----------
;; SERVER: 2a00:1ca8:17:3c9::7384#53(2a00:1ca8:17:3c9::7384)
;; WHEN: Fri May 11 17:23:27 West-Europa (zomertijd) 2018
;; MSG SIZE  rcvd: 367

I have no experience with troubleshooting this particular issue. Do you have any tips on how to proceed?

Again, sorry for the wall of text...

Thank you very much in advance for the trouble to be taken.

Kind regards,
Freek

Freekers · May 12, 2018, 1:05pm

Hi @DanSchaper

I did some more digging and I think I've opened up a can of worms here.

First, the IPv6 issue

When I'm using the IPv6 DNS servers from DNS.watch, both the tests at http://ipv6-test.com/ and http://test-ipv6.com/ fail.

If I swap them for the IPv6 DNS servers from UncensoredDNS.org, the test at http://ipv6-test.com/ fails but the test at http://test-ipv6.com/ passes.

When using OpenDNS' IPv6 servers, both tests succeed... Hence I started testing each resolver manually because I didn't know what to think of it. Doing so, I also found out that that digwebinterface.com does not support testing IPv6 DNS resolvers (nice one...) and neither does Test DNS server records online (query A, AAAA, CNAME, MX, PTR, SPF, SRV, NS, TXT, or all available). However, KLOTH.NET - DIG - DNS lookup - find IP address does support testing IPv4 and IPv6 DNS resolvers so I used that to test DNS.watch, UncensoredDNS and OpenDNS.

Using Kloth.net, I was able to confirm that all three IPv6 DNS servers properly respond to a dig command, so why is http://ipv6-test.com/ and/or http://test-ipv6.com/ failing when I use DNS.watch (or UncensoredDNS.org) but passes when using OpenDNS? It doesn't make sense to me...

But now, IPv4 is somewhat broken as well..

While trying our different the different online DNS resolver test tools, I found out that my Pi-hole (while using the IPv4 address) is marked as dead by some tools, while other tools are able to resolve using it just fine. Here's a breakdown of each tool:

digwebinterface.com: Says my Pi-hole is NOT resolving DNS queries (NOK)
DNS Benchmark by Steve Gibson: Says my Pi-hole is NOT resolving DNS queries (NOK)
kloth.net: Says my Pi-hole is resolving DNS queries (OK)
manytools.org: Says my Pi-hole is resolving DNS queries (OK)
https://network-tools.com/nslook/: Says my Pi-hole is resolving DNS queries (OK)
https://www.subnetonline.com/pages/network-tools/online-dig.php: Says my Pi-hole is resolving DNS queries (OK)

Why the inconestenties in these results? I checked each tool to see if it was functioning properly by substituting my Pi-hole's IP by Google's DNS (8.8.8.8) and all tools provide a consistent OK/Yes while doing so....

At this point, I'm doubting if it's just easier to do a reinstall of the entire machine instead of troubleshooting this any further, unless you want to get to the bottem to this for future reference? The issue also persists when using the FTL-DNS beta / development branch. Here's the latest pihole -d output in case it changes anything: http://termbin.com/ielh

Thank you!

Kind regards

DanSchaper · May 12, 2018, 3:04pm

Heya, I'll check around on a couple of things. I'm side tracked from the Pi-hole project for a few days so it may take me a little time to get back to this. But I won't forget it!

Freekers · May 12, 2018, 6:45pm

Thanks for your reply. No problem, take your time !

DanSchaper · May 17, 2018, 11:24am

How are things going, made any changes or headroom on this?

Freekers · May 17, 2018, 12:25pm

Hi Dan.

The situation hasn't changed and is the same as in my post from 5 days ago. I am stuck and have no idea how to proceed

Thanks!

DanSchaper · May 17, 2018, 4:54pm

I'm sorry it's been a few days since I've had a chance to take a look. I'll try to take a look from my end and see if I can narrow down the places we need to examine to get this fixed!

system · June 7, 2018, 4:54pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.