I recently enabled IPv6 on my network to learn more about it. I’m having some trouble getting clients to use the Pi-hole’s IPv6 link-local address to resolve DNS queries. I am following this guide: Ubiquiti USG - Pi-hole documentation
When I add the address to the USG’s DNS server settings for IPv6, I see the address updated in my clients, so router advertisement seems to work.
Using my Pi-hole server’s GUA works for DNS queries, but using its link-local address (fe80:) does not, and I’d like to avoid setting up ULA.
Details about my system
Nokia BGW320 (required by ATT)
Ubiquiti USG 3-P (gateway)
Ubiquiti US-8-60W (managed switch)
Pi-hole v5.17.2 server (2012 Intel NUC running Ubuntu 22.04.3)
Pi-hole is running directly on the host OS. The Unifi controller is running in a Docker container on the same server.
What I have changed since installing Pi-hole
Set up cloudflared for DNS-over-HTTPS
Things I’ve tried
I ran pihole -r and reconfigured it. The IPv6 address it gives me at the end is a GUA, which works but the address could change
I checked iptables and ufw rules, they look correct (and DNS queries using the GUA address work)
Manually adding the link-local address to setupVars.conf (I know editing this is frowned upon)
Adding the interface number or name (%2 and %eno1 respectively) to the end of the address
Some relevant pihole -d output with the public IPs X’d out:
[✓] tcp:[::1]:53 is in use by pihole-FTL
[✓] tcp:[2600:xxxx:xxxx:xxxx:c23f:d5ff:fe6a:5b0]:53 is in use by pihole-FTL
[✓] tcp:[2600:xxxx:xxxx:xxxx:193e:4f76:53bb:7df5]:53 is in use by pihole-FTL
[✓] tcp:[fe80::2a23:ffb8:ba12:6b2d]%eno1:53 is in use by pihole-FTL
[✓] tcp:[fe80::c8b8:2541:29c8:2084]%docker0:53 is in use by pihole-FTL
[✓] tcp:[fe80::da08:d78d:8475:683e]%veth06c8b6f:53 is in use by pihole-FTL
[✓] tcp:[fe80::2cce:72ff:feeb:9246]%veth06c8b6f:53 is in use by pihole-FTL
*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] thinkcompany.net is :: on lo (::1)
[✓] thinkcompany.net is :: on eno1 (2600:xxxx:xxxx:xxxx:c23f:d5ff:fe6a:5b0)
[✓] thinkcompany.net is :: on eno1 (2600:xxxx:xxxx:xxxx:193e:4f76:53bb:7df5)
[✗] Failed to resolve thinkcompany.net on eno1 (fe80::2a23:ffb8:ba12:6b2d)
[✗] Failed to resolve thinkcompany.net on docker0 (fe80::c8b8:2541:29c8:2084)
[✓] doubleclick.com is 2607:f8b0:4023:1009::8b via a remote, public DNS server (2001:4860:4860::8888)
dig output on the server:
➜ ~ dig @fe80::2a23:ffb8:ba12:6b2d lkhrs.com
;; UDP setup with fe80::2a23:ffb8:ba12:6b2d#53(fe80::2a23:ffb8:ba12:6b2d) for lkhrs.com failed: invalid file.
;; UDP setup with fe80::2a23:ffb8:ba12:6b2d#53(fe80::2a23:ffb8:ba12:6b2d) for lkhrs.com failed: invalid file.
;; UDP setup with fe80::2a23:ffb8:ba12:6b2d#53(fe80::2a23:ffb8:ba12:6b2d) for lkhrs.com failed: invalid file.
➜ ~ dig @fe80::2a23:ffb8:ba12:6b2d%eno1 lkhrs.com
;; communications error to fe80::2a23:ffb8:ba12:6b2d%2#53: timed out
;; communications error to fe80::2a23:ffb8:ba12:6b2d%2#53: timed out
;; communications error to fe80::2a23:ffb8:ba12:6b2d%2#53: timed out
; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> @fe80::2a23:ffb8:ba12:6b2d%eno1 lkhrs.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached
There is no requirement to have IPv6 enabled on your network to resolve AAAA (IPv6) DNS queries.
You can simplify your DNS setup by just using IPv4 for DNS.
A client can get an AAAA record using an IPv4 address to the DNS server, and then make the connection to the IPv6 DNS address if the client has IPv6 enabled.
Example from an IPv4 LAN setup:
dig -t AAAA cnn.com
; <<>> DiG 9.16.44-Raspbian <<>> -t AAAA cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40253
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cnn.com. IN AAAA
;; ANSWER SECTION:
cnn.com. 300 IN AAAA 2a04:4e42:e00::773
cnn.com. 300 IN AAAA 2a04:4e42:800::773
cnn.com. 300 IN AAAA 2a04:4e42:600::773
cnn.com. 300 IN AAAA 2a04:4e42::773
cnn.com. 300 IN AAAA 2a04:4e42:c00::773
cnn.com. 300 IN AAAA 2a04:4e42:200::773
cnn.com. 300 IN AAAA 2a04:4e42:a00::773
cnn.com. 300 IN AAAA 2a04:4e42:400::773
;; Query time: 69 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 23 15:26:40 CDT 2023
;; MSG SIZE rcvd: 260
Thank you, I’m aware and I want to continue using IPv6 on my home network. Do you have any ideas why the link-local address isn’t responding to queries?
Those errors indicate to me that the problem lies at the network level.
Using link locals with multiple interfaces and thus multiple links is going to get a bit involved. If you want to stay with v6 or dual stack then I suggest setting up a ULA scheme for your LAN.
For some reason Linux does not automatically append the local link interface (i.e. the interface on the client, not the DNS server) to the DNS' local link fe80:: address. On Windows clients it works fine.
The interface may also be the serial number (e.q. %2 instead of %eth0 or %wlan0).
