I have a pair of devices set up with PiHole, and syncing via Nebula. DNS is working perfectly.
Before I enable DHCP on the devices, I wanted to make sure I had the best understanding of how to properly advertise both PiHole devices via DHCP, so that if one goes down, clients will still reach the other one. From what I am seeing, this can be done via a conf file in /etc/dnsmasq.d/
Would this be a valid entry to add to a conf file?
This appears to be an invalid configuration parameter, per the dnsmasq manual:
You want dhcp-option=6,Pi-holeIP,SecondaryDNSIP
But, note that in Pi-hole V6 you will need to explicit enable additional dnsmasq files in directory /etc/dnsmasq.d.
In file /etc/pihole/pihole.toml
# Should FTL load additional dnsmasq configuration files from /etc/dnsmasq.d/?
# Warning: This is an advanced setting and should only be used with care.
# Incorrectly formatted or config files specifying options which can only be defined
# once can result in conflicts with the automatic configuration of Pi-hole (see
# /etc/pihole/dnsmasq.conf) and may stop DNS resolution from working.
etc_dnsmasq_d = true ### CHANGED, default = false
Change the parameter to true as shown.
Also, note that you don't really need IPv6 DNS server addresses. You are using local addresses on your LAN, and any type of DNS query can be resolved over either IPv4 or IPv6. This will work fine with just the IPv4 addresses.
That won't work.
You are nor declaring a type of option, which should be dns-server.
In addition, note that DHCP is strictly an IPv4 protocol.
IPv6's close equivalent is DHCPv6, which is a different protocol using different ports.
Consequently, you can't mix IPv4 and IPv6 addresses in a DHCPv6 option - IPv4 options (option) and IPv6 options (option6) will require their own lines.
For IPv4, the correct line would read:
dhcp-option=option:dns-server,10.0.0.4,10.0.0.5
While you could consider to add an option6 line for your IPv6 addresses, you should be aware that most client OS would prefer to configure themselves via NDP, i.e. they won't request DNS server information via DHCPv6, but rather will learn them from RDNSS information as advertised by your router.
You should first verify whether your router would support IPv6 DNS configuration.
If it doesn't allow you to disable advertising its own IPv6 as DNS server or setting a custom IPv6 address, then clients will pick up your router's IPv6 as DNS server via RDNSS RAs, by-passing Pi-hole.
Running sudo pihole-FTL dhcp-discover may help in diagnosing which IPv6 addresses your router is advertising for DNS.
My router (an Orbi 850 series) won't let me assign DNS via DHCP - if I use the Router for DHCP, it automatically assigns itself as the DNS server. (I found this out after I bought it, wired up the house, set up the satellites, etc., so I am not amused.) I could arguably tell the router to use the PiHoles as DNS instead of upstream, but I'd prefer to cut out the middleman, as it were.
So my plan at this point is to try to use DHCP off my PiHoles, and have them list each other as alternate DNS servers.
I've already determined that if I don't set them as DNS servers manually for IPv6, I can't resolve things internally on my network. So I do need to make sure that DNS is handed out for IPv6, and points to my PiHoles, to make use of their internal redirection. I just need to figure out how to list both DNS servers for DHCP.
I didn't mean for you to share the output, but to use it in your analysis.
I've reduced your output to the relevant part and obfuscated your public IPv6 as well as MAC addresses.
Your router is advertising its own public IPv6 GUA as DNS server:
To be sure that Pi-hole can't be by-passed via IPv6, you should verify whether that RDNSS line would disappear when you disable your router's DHCP server.
Note that even if it does, your clients may still continue to use it until its lifetime has expired.
And if it still shows up, you should consult your router's documentation and support for further assistance on its IPv6 DNS configuration options, which should include DHCPv6 as well as NDP RDNSS RAs.
Got it, thank you. At some point when I can make the switch and it won't impact the rest of my household (i.e. - we're not all WFH at the time), I will try disabling DHCP on the router, and enabling it on the PiHoles, then run the check again to see if the Router is still advertising DNS for IPv6.
I guess my remaining question is this: I would like to have redundancy for IPv6 DNS in the event one of the PiHoles is offline (updates, rebooting, hardware failure, etc.). Is there a need to, and a way, to set DHCP on the PiHole devices so that they advertise each other for redundancy?
For your dual stack and IPv4-only clients (IoTs, mostly), it would be fully sufficient to provide them exclusively with a set of IPv4 DNS server addresses.
Doing so would also make your Pi-hole's dashboard and Query Log tidier and easier to read.
If you'd still opt to have Pi-hole advertise their IPv6 addresses for DNS, you should advertise one of their stable ULA or LLA addresses, by supplying an option6:dns-server line and enabling Pi-hole's IPv6 support.
Don't pick temporary addresses, as their IID will change over time, and you don't want to edit your Pi-hole configuration every two hours.
For similar reasons, you want to stay clear from GUAs as well, as their IPv6 prefix may be changed by your ISP, either regularly or e.g. after a router restart.