Unbound and IPv6 DNS

Please follow the below template, it will help us to help you!

Expected Behaviour:

_IPv6 DNS workng

Using this guide: Redirecting...

my conf:

`server:
verbosity: 1
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: yes

# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"

# Trust glue only if it is within the servers authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines
num-threads: 1

# Ensure kernel buffer is large enough to not loose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8

`_

Actual Behaviour:

_IPv6 DNS is not working

if i change to Cloudflare IPv6 DNS its works, very odd_

Debug Token:

[Replace this text with the debug token provided from running pihole -d (or running the debug script through the web interface]

Do you have this in your unbound config file?

Oh it highlighted only a small part of the conf. I do see it’s enabled :slight_smile:

What’s the output of
ping6 flurry.com

Yes i do.

ping6 flurry.com
PING flurry.com(raspberrypi (2a00:7660:xxx::96)) 56 data bytes
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=1 ttl=64 ti me=0.134 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=2 ttl=64 ti me=0.115 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=3 ttl=64 ti me=0.115 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=4 ttl=64 ti me=0.114 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=5 ttl=64 ti me=0.118 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=6 ttl=64 time=0.111 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=7 ttl=64 time=0.140 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=8 ttl=64 time=0.111 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=9 ttl=64 time=0.118 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=10 ttl=64 time=0.113 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=11 ttl=64 time=0.121 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=12 ttl=64 time=0.111 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=13 ttl=64 time=0.131 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=14 ttl=64 time=0.115 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=15 ttl=64 time=0.113 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=16 ttl=64 time=0.113 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=17 ttl=64 time=0.130 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=18 ttl=64 time=0.114 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=19 ttl=64 time=0.128 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=20 ttl=64 time=0.113 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=21 ttl=64 time=0.131 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=22 ttl=64 time=0.106 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=23 ttl=64 time=0.118 ms
q64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=24 ttl=64 time=0.127 ms

64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=25 ttl=64 time=0.124 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=26 ttl=64 time=0.125 ms
q64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=27 ttl=64 time=0.142 ms
uit
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=28 ttl=64 time=0.119 ms
quit64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=29 ttl=64 time=0.127 ms

64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=30 ttl=64 time=0.128 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=31 ttl=64 time=0.127 ms
64 bytes from raspberrypi (2a00:7660:xxx::96): icmp_seq=32 ttl=64 time=0.121 ms

what's the output of:

dig AAAA ipv6.google.com @127.0.0.1 -p 5353

dig AAAA ipv6.google.com @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> AAAA ipv6.google.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 696
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;ipv6.google.com. IN AAAA

;; ANSWER SECTION:
ipv6.google.com. 604800 IN CNAME ipv6.l.google.com.
ipv6.l.google.com. 3600 IN AAAA 2a00:1450:400e:80b::200e

;; Query time: 47 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed May 23 18:19:46 CEST 2018
;; MSG SIZE rcvd: 93

The query ran an IPV6 request via unbound and it was resolved. Unbound IS responding and resolving IPV6 requests.

Do you have AAAA_QUERY_ANALYSIS=no in /etc/pihole/pihole-FTL.conf ?

Is your Pi-hole interface set-up to block ads via IPV6 ? If yes, if you cat /etc/pihole/setupVars.conf do you see an IPV6 under IPV6_ADDRESS= ?

If yes, does it match with what your clients have as your IPV6 DNS server?

pihole-FTL.conf
TIMEFRAME=today
RESOLVE_IPV6=yes
RESOLVE_IPV6=yes
MAXDBDAYS=1
IGNORE_LOCALHOST=yes

setupVars.conf
WEBPASSWORD=
PIHOLE_INTERFACE=eth0
IPV4_ADDRESS=10.10.1.2/24
IPV6_ADDRESS=2a00:7660:xxx::96
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=1
TEMPERATUREUNIT=C
WEBUIBOXEDLAYOUT=traditional
DHCP_START=10.10.1.2
DHCP_END=10.10.1.251
DHCP_ROUTER=10.10.1.1
DHCP_LEASETIME=24
PIHOLE_DOMAIN=mydoman.lan
DHCP_IPv6=false
DHCP_ACTIVE=false
DNSMASQ_LISTENING=local
PIHOLE_DNS_1=127.0.0.1#5353
DNS_FQDN_REQUIRED=false
DNS_BOGUS_PRIV=false
DNSSEC=false
CONDITIONAL_FORWARDING=false
API_EXCLUDE_DOMAINS=
API_EXCLUDE_CLIENTS=
API_QUERY_LOG_SHOW=all
API_PRIVACY_MODE=false

This is deprecated (no longer in use).

try a nslookup flurry.com 2a00:7660:xxx::96

This will execute nslookup for the domain via the IPV6.
It should resolve to your raspberry.

Your web interface will show a blocked AAAA request to that domain.

nslookup flurry.com 2a00:7660:xxx::96
Server: 2a00:7660:xxx::96
Address: 2a00:7660:xxx::96#53

Name: flurry.com
Address: 10.10.1.2

Looks like it's working :slight_smile:

a dig AAAA flurry.com will resolve to your 2a00:7660:xxx::96 (and it should show up as blocked in your Query logs on your admin)

image

Bit odd my IPv6 DNS server fail the test on https://test-ipv6.com and http://ipv6-test.com

Is IPv6 enabled on your client?

I have IPv6 disabled on my Mac, and therefore the IPv6 test on test-ipv6.com fails for me.
On other clients I have IPv6 enabled, and the test is ok.

All my clients got it on.

Is it possible that one has a IPv6 in the local net, but not outside of it (as the outside address is assigned by the provider)?

My USG does the IPv6 dhcp and get it from the IPv6 is static range /48

here is a better IPv6 test site, if something is NOK, there is a brief explanation.

Fail on DNS

Verdict:
Your DNS resolver is not able to reach name servers over IPv6.

Getting 100% at Connection test

Did a clear install and it works now.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.