Win 10 upgrade now using IPv6 for DNS

I have Pi-Hole & Ubound working on a Raspberry Pi -4 It is connected with cable to my network.

I seems that this new version of Windows 10 is using IPv6 for DNS, rather than IPv4.

I am using the Pi as the DHCP with the upstream IPv4 set to 127.0.0.1#5335
It would appear that the IPv6 setup on the network interface is not being set up to point to the Raspberry Pi.
There is no facility in my modem (gateway) to set up IPv6 DNS.

Is it the only solution a matter of manually setting the IPv6 DNS in the Windows machine or shouldn't the DHCP service provide this?

Or am i missing something in the configuration?

IPv6 is an autoconfiguration protocol. Unlike IPv4, it doesn't need DHCP and infers information about, for instance, DNS servers by itself. If your gateway does not support changing IPv6 related settings, you may have to resort to setting things manually.

Thank you for your reply.
I have been reading a lot of the documentation on IPv6 and it has become obvious that a lot is copied from article to article and a lot of it is obviously not actually understood by its authors. They know how to do some things but usually don't know why.
I do not think i should have to set the IPv6 manually for each machine, the IPv6 protocol itself should provide that service (I think?). IPv6 contains the ability for client to query (via a broadcast) for the DNS address. This is either not happening from windows (unlikely) or the query is not being answered by Pi-hole.

The result is that my Windows 10 machine which recently upgraded (it was unavoidable for other reasons-I still loathe Microsoft and i find ubuntu "quaint") set an IPv6 DNS to some other address other than my pi-hole.
I am using Pi-hole as my DHCP server and it seems to be assigning both the IPv4 address and the IPv6 address, updating the IPv4 DNS but the IPv6 protocol does not set the IPv6 DNS which then defaults to a windows 10 default.
I can manually set the IPv6 in my Windows 10 machine to point to the Pi-hole but I believe I should not have to do this.
One of 2 things is happening.
Windows is overriding the setup information when the IPv6 protocol queries the pi-hole for the IPv6 DNS
or (more likely)
My pi-hole (FTL) is not responding to the request for IPv6 DNS, so windows uses its default IPv6 DNS.
So it seems I need to delve a little deeper.
My first thought is that the FTL configuration contains an error or more likely an omission. I guess I need to learn that as well.
Any pointers would be gratefully received.

DHCP is strictly an IPv4 service, the corresponding IPv6 service is aptly named DHCPv6, but it constitutes a different service altogether (different ports, different protocol).

As Stateful DHCPv6, it would be about equivalent to DHCP, handing out complete IPv6 addresses to clients.

But with IPv6, it is much more common that clients will calculate IP addresses autonomously using SLAAC, requesting additional information only as needed. They can do so via Stateless DHCPv6 or completely go the SLAAC way and acquire information through NDP RAs.

Ultimately, it's the client that decides on the way it joins an IPv6 networks, e.g. Androids can only do so using SLAAC. Windows has started with supporting DHCPv6, but Win10 can use either Stateful or Stateless DHCPv6 or SLAAC.

When using the latter two, it is likely that both your router and Pi-hole are advertising one or more DNS servers for IPv6.
But it is again the client that will decide which of the DNS servers it is going to use.

If you have no means to configure DNS for IPv6 in your router, then the only option to guarantee that a specific client won't use a public DNS server for IPv6 is to change your client's behaviour.

Did you verify which DNS server your Win10 client is using for IPv6?

2 Likes

Thanks for the reply. That is actually the best description of the nuances of DHCPIPv6 so far. Would be handy in a Guide on DNS.
My router doesn't do IPv6 at all. Its DNS is set to pi-hole. Its DHCP is disabled.
I am using Pi-hole as the DHCP with it also set to SLACC. Its gateway is the router.
I have disabled IPv4 on my client (to check whats happening)
I occurred to me that at the time of setup (client) windows 10 knows the Gateway only from IPv4 so if it was to setup without IPv4 what gateway would it use?
The Gateway in Pi-hole is set, so regardless of where a request comes from (IPv4 or IPv6-SLAAC) Pi-hole should be able to fulfill that request.
Apparently not however. Ipconfig /all reveals the default gateway is set to a muticast address (fe80....) and the DNS server list contains the same multicast address along with 3 others none of which is the pi-hole.
Prime facially Doesn't this indicate that SLAAC on the pi-hole is not functioning correctly?

I assume that Pi-hole knows the gateway (its still doing IPv4) so it will know its MAC address and should have assigned an IPv6 address to it as part of SLAAC.
Is my logic flawed, or do I only know enough to get myself into trouble?

Your router most certainly does IPv6; it just doesn't allow you to configure it.

No, fe80: isn't a multi-cast, it is a link-local address,
If it's showing up as gateway, it's likely that of your router (note that IPv6 gateway addresses have to be link-local, and a gateway is irrelevant as far as your DNS issue is concerned).

If your ipconfig /all would list the very same link-local address among your client's DNS servers, then that would be fully in line with my previous explanations:

Since you propose that your router indeed doesn't allow any IPv6 configuration (not even disabling IPv6 completely?), you have to tackle this on your client.
You may either have to set your DNS server for IPv6 manually, or you could try to change your IPv6 prefix policies on your client, or both.

Today I noticed that IPv6 is used. I suddenly saw a lot of googleads and doubleclick and all the others you see without Pi-Hole.

I did some troubleshooting (nothing seemed wrong, but I did uninstall and re-install pi-hole just to be sure, no change). Then I went to control panel to check if I did set the DNS server to the pi-hole and not the home router, when I did that, I saw that IPv6 was enabled. I disabled it for testing, and ads were blocked again :slight_smile:

Now I re-enabled it and manually inserted the Pi's IPv6 address there in the DNS field.

Edit: I can't change the IP address of the DNS server inside my router (it's a provider one, so very limited configuration possibilities and modem, router, firewall, WAP and 4-port switch in one) and am afraid to turn the router into "everything-else-except router" because our TV decoder still needs internet (I don't know if it's in a separate VLAN or something like that)

I_Am_Nothere, I don't see how this is helping with BernieK's issue, since you seem to use an altogether different router
Are you instead seeking help yourself?

It is indeed not helping his issue, but I mentioned that I figured (thanks to this post and the comments) that IPv6 was enabled on my PC and I mentioned that I am not able to give IPv6 DNS server dynamically in my router, so that I had to set it statically.

So, it's more like a thank you to both @BernieK (for stating his question) and you @Bucking_Horn (for expanding my knowledge a bit on IPv6) and because of you, I was able to stop getting ads via IPv6 :partying_face:

Did some further testing (after reading a couple of other of your replies on other topics)

Well....even if I set the DNS server manually in windows, it doesn't work. It list the pihole address as the IPv6DNS, however that actually does not work.
Without IP4 enabled, using nslookup pi.hole just times out. Same with nslookup flurry.com also times out.
With IPv4 enabled the server name is unknown but it is reachable in both cases.
Using nslookup flurry.com 80.241.218.68 gets the server name so there is redirection happening.

With IPv4 disabled and IPv6 DNS set auto, some addresses are still reachable (google.com) so there is some functionality, but setting it manually to the pihole kills it all.

I guess setting IPv6 manually just breaks it and windows 10 times out then falls back to IP4.
Presumably, windows default DNS server is limited (probably it has upgrade addresses only) so some addresses are reachable.
Is there a way to test pihole IPv6 (& SLAAC) either from the web interface or from a system console?

With the redirection, it looks like I need to get into the modem even more (I have root access). Rats!

No, the server name doesn't indicate redirection.
Please provide the full output of that command, including the exact command itself.

Thank you for the reply

With IPv4 & IPv6 & manual DNS in IPv6

PS C:\WINDOWS\system32> nslookup flurry.com
 DNS request timed out.
    timeout was 2 seconds.
 Server:  UnKnown
Address:  2001:8003:6d47:b500:c77e:cce3:be0b:8fd5

 DNS request timed out.
    timeout was 2 seconds.
 DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
  timeout was 2 seconds.
> DNS request timed out.
>     timeout was 2 seconds.
 *** Request to UnKnown timed-out

and

PS C:\WINDOWS\system32> nslookup flurry.com 80.241.218.68
Server:  dismail.de
Address:  80.241.218.68

Name:    flurry.com
Address:  0.0.0.0

and with With IPv4 & IPv6 all auto

PS C:\WINDOWS\system32> nslookup flurry.com
Server:  UnKnown
Address:  2001:8003:6c2c:d100:5d66:ae:5f45:e095

Name:    flurry.com
Addresses:  ::
          0.0.0.0

and

PS C:\WINDOWS\system32> nslookup flurry.com 80.241.218.68
Server:  dismail.de
Address:  80.241.218.68

Name:    flurry.com
Address:  0.0.0.0

PS C:\WINDOWS\system32>

The latter two commands show the expected results, i.e, your standard DNS server is correctly blocking access to flurry.com, and your router is not redirecting DNS.

Your very first command is failing with time-outs.
Likely, this is because you did provide an incorrect or expired IPv6 address: Note that the IPv6 prefix used differs from the one used in the later succeeding nslookup.

You can list the current IPv6 addresses for your Pi-hole by running:

ip -6 address show

When considering an IPv6 address for Pi-hole, you should probably avoid using a public address (2000::/3 range) altogether: Not only is Pi-hole not meant to be publically available, but with a public IPv6, both your IPv6 prefix and the interface identifier are subject to change (the former by your ISP, the latter by IPv6 Privacy Extensions and the likes), and Pi-hole requires a stable address.

As using an IPv6 ULA address obviously isn't an option with your router, try using your Pi-hole's link-local IPv6 address (fe80::/10 range) instead.
However, note that this address is only accessible for devices on the same network segment.

1 Like

The server however in the second last one is not the raspberrypi it is my ISP IPv6DNS
I manually set the IPv6DNS to the link local address which I obtained from the network tools. (obviously great minds think alike :slightly_smiling_face:)

If I understand your explanation (which is far from certain ) it seems the raspberrypi is obtaining its address from the ISP.
I am pretty sure I have a standard default setup but with ubound as a recursive DNS server, but I don't think that should make any difference to the pihole setup.

I will reset the modem to take it off the network while I reboot the raspberrypi.
I believe if I understand the way it works the raspberry pi should then assign its own IPv6 address.
not confident though

No need to reset your modem.

If you are going to manually set an IPv6 address as DNS server on your Win10 machine, start by listing current IPv6 addresses on your RPi 4B by running the following command:

ip -6 address show eth0

Replace eth0 with the correct interface as required.

Then pick an IPv6 address from that list, but avoid public IPv6 addresses (2000::/3 range), and use that as your Win10 DNS server's IPv6 address.

The same address should be configured as Pi-hole's IPv6 address.
If it isn't already, run

pihole -r

and choose Reconfigure.

I think I am missing something.
The above does not work.
Can I use the link.local address as the pi hole address in the reconfigure? (that doesn't seem right though because that wont be valid till the raspberry pi is running)

But in the setup of the raspberry pi uses avahi to set up its IPv6 address and that address is provided by the ISP/router, (it obviously has DHCPIPv6 running) which is why it is 2001:... (which Is why i tried to reset the modem and boot the raspberry pi while the router was up but had no DSL link hence no external connection anywhere)
Perhaps its the router doing the DHCPIPv6 and the DNS is hard coded into it by the ISP.
Because it sets up in this way, it seems windows in its setup using multicast is being answered by the ISP/router not the pi-hole.

I guess I just don't understand enough of how the gateway/raspberry pi interact when initializing.
Next step is to restart the raspberry pi without the Ethernet connection and see what its address is set to.

Think i need a whiskey break!

Please provide the output for

ip -6 address show eth0

Thank you for the reply. Sorry it is taking so long to reply. I needed a break and to catch up on other things

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:8003:6c2c:d100:5d66:ae:5f45:e095/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 4257sec preferred_lft 4257sec
inet6 fe80::a1d9:a434:5df6:3ed2/64 scope link
valid_lft forever preferred_lft forever

I did yet another pi-hole -r and have a much better understanding of what was going on. I set the DNS to the nextdns .
Pi-hole didn't function on IPv6 but when I removed them from pi-hole set the upstream to ubound. 127.0.0.1#5335.

On reboot with the IPv6 settings set to auto, windows pointed to pi-hole and worked correctly.
I am not sure I actually understand why but it is now working correctly. The relevant output of Ipconfig /all
shows it is now correctly set.

  DNS Servers . . . . . . . . : 2001:8003:6c2c:d100:5d66:ae:5f45:e095
                                192.168.0.162
                                2001:8003:6c2c:d100::1
                                fe80::e2b9:e5ff:feab:846a%4
                                2001:8003:6c2c:d100:5d66:ae:5f45:e095

I do not quite understand why it now works but the amount I don't understand generally is vast.

That last half sentence is true for any of us. :wink:

Your ipconfig output confirms my earlier statement:

In your ipconfig output above, line 2 is your Pi-hole's IPv4 address, IPv6 addresses in lines 3 and 4 likely belong to your router (Technicolor?) , and the remaining IPv6 are likely those of your Pi-hole machine.

Your Pi-hole may currently receive some DNS queries, but your Win10 client may use any available DNS server for any request: It will by-pass Pi-hole by using your router's addresses.

Which brings us back to my previous conclusion:

If you can ping your Pi-hole's fe80 link-local IPv6 address from your Win10 machine, you should be able to follow my previous hints to statically configure a DNS server IPv6 address.