The issue I am facing:
I'm setting up a pihole for the first time after an R Pi 4 8GB landed for Christmas, but it's opened up a world of ??? for me. Clearly I've slept my way through the last decade and I'm now trying to understand the world with IPv6 and if IPv6 matters to things like ad blocking via a DNS sinkhole. I started digging into this because I was still seeing some ads, perhaps not as many as before but more than I want to.
Note: I'm asking this in the Docker pihole help section because that's my setup and I jumped through some hoops to get IPv6 working with my docker pihole with a macvlan network driver (again learning as I go). I don't know if IPv6 just works with pihole if you are outside Docker or not so it's possible this question is more widely relevant as it relates to IPv6 DNS discovery on my network but I thought I'd start here.
I expect that the answer to some extent will be: it depends. It depends on how your ISP is setup, what the router they give you allows you to configure, if they are live with IPv6 in their infrastructure and if your local devices and software applications (like browsers) are using IPv6 too. For me, all this seems to be true.
Details about my system:
My ISP provides a minimally configurable interface on its router. I couldn't reassign DNS servers offered in its IPv4 DHCP server so I turned that off and switched on the DHCP server on the pihole. That seems to work ok, and I can see the network table in the pihole UI populate with devices getting their IPv4 addresses, and IPv4 DNS from there. However I noticed that on IPv6 enabled devices that I was picking up the router's IPv6 address as DNS alongside the pihole IPv4 address. So to test if IPv6 DNS works on the pihole I manually changed my windows 10 wifi TCP/IPv6 settings to point to the pihole Ipv6 for DNS. This works:
But, if I switch back to the default IPv6 DNS - I start getting ads again in web pages. So I thought I'd ask here for advice. Does this mean that my pihole is being bypassed in my default network setup, where IPv6 is being used to resolve adserver names?
I understand that it's default behaviour for IPv6 interfaces is to provide their own address but DHCPv6 might be being used to pickup a gateway and DNS address in IPv6... is that right?
It seems I can turn off IPv6 address allocation on my router - just done it in fact - but now when I renew my ipconfig it's not getting any router or DNS addresses. At least that seems to confirm my understanding above. Is there someway to turn on DHCPv6 on the pihole so that it sets itself as the DNSv6 server and sets the router to be the IPv6 gateway? Looking into this myself now but posting the question.
What I have changed since installing Pi-hole:
Just the DHCP being switched on with relevant settings for my lan
Yes, but not necessarily for any given client.
IPv6 is putting quite some emphasis on autonomous client configuration.
Your above description would match a client that uses Stateless DHCPv6 (as opposed to Stateful DHCPv6 where a client obtains a full lease much like via IPv4's DHCP).
However, clients may not use DHCPv6 at all, but instead employ SLAAC and learn DNS servers via router advertisements (RAs). Most modern OSs provide support for either way, but some OSs are restricted to certain modes only (e.g. Android does not support DHCPv6 at all).
You may enable Pi-hole's IPv6 support via Settings|DHCP (tick Enable IPv6 support (SLAAC + RA)) , but as long as your router is advertising itself as DNS server alongside Pi-hole, actual selection of DNS servers would happen entirely at a client's discretion.
If you cannot configure your router to not distribute an alternate IPv6 DNS server address (thus allowing clients to bypass Pi-hole), your only option may be to disable IPv6 altogether (if your router allows).
Hi jfb (not allowed to @ you yet!) thanks for the solution. I'll mark it as the answer because after turning off the address allocation for IPv6 on my router, IPv6 didn't seem to work in the same way on my local network. The router still says that IPv6 is enabled but whereas I could previously ping things with my global LAN unicast (2a00:xxxx:xxxx:4801 as in my original post shown above) that doesn't seem to work now. The link local does seem to work. Below I'm forcing nslookup on my laptop to query the link local address of the pihole for DNS.
which still works, but everything seems to now default to IPv4 DNS so ads are gone. Switching off IPv6 address allocation on the router seems to result in nothing getting an IPv6 route anywhere so can't use it and falls back to IPv4. So as you suggest that is the simple fix.
What I would add though is that I was unaware that my ISP was enabling IPv6 in its infrastructure and consumer routers or that devices on my network were often using IPv6 first. For all my network stuff I've only used IPv4, up until trying to understand why I was still seeing ads post pihole and have spent a several hours learning about why (IPv6 DNS) since then. I've been aware that everything I use has had an IPv6 address for at least the last decade but got comfortable thinking it didn't do anything. That appears to be not so true now. BTW my ISP is BT in the UK so presumably would affect lots of other people.
Thanks for the deeper insight Bucking_Horn. I'll experiment a bit more tomorrow (how did I not see that checkbox it was right in front of me the whole time) but I suspect that I will find that the router advertisements will compete which means either I leave IPv6 as disabled as possible or get a different router which allows me to configure where the router advertisements come from. Defeated by ads!?! Funny.
@Bucking_Horn A bit of follow up I looked at a wireshark capture on my wifi from my laptop today with both the router in stateless address allocation and the pihole in IPv6 (SLAAC + RA). I notice a bunch of RAs from the router but none from the pihole. The router RAs go to a multicast address for all nodes: FF02::1. The only ICMPv6 messages I see from the pihole appear to be Neighbour advertisements which go point to point to my laptop. Should I be seeing RAs from the pihole going to FF02::1?
[Forgot to say: the Neighbour Advertisement seems to follow Neighbour Solicitation from other devices on the network to a router. Both are receiving them]
Additionally: I can see these events sporadically like maybe 15 mins apart? in the pihole log:
Dec 30 18:43:22 dnsmasq-dhcp[15393]: RTR-ADVERT(eth0) fd00:0:0:1::
Dec 30 18:43:22 dnsmasq-dhcp[15393]: RTR-ADVERT(eth0) 2a00:xxxx:xxxx:4801::
