Your post in "Secondary DNS Server for DHCP"

Is there an IPv6 version of the dhcp-option command? I took your advice and created a 99-second-DNS.conf file and edited it to include "dhcp-option=option:dns-server,,", but I also want to do the same thing for my pi-hole's IPv6 address.

DHCP is not concerned with IPv6 at all. IPv6 is designed as self-configuring protocol and exists entirely separated from IPv4 (and its configuration method "DHCP"). There is a thing like "DHCPv6" but it is a rather dirty addition to IPv6 (which has been designed to not need central management) and there aren't many devices supporting it.

Thanks for the informative reply; I'm trying to troubleshoot my OpenWrt router supplying an IPv6 DNS entry it shouldn't be supplying and thought that maybe forcing my pi-hole to supply its IPv6 address twice would work around the issue. If you know another way of doing that, I'd like to try it. Otherwise, I'll focus more on fixing the problem from OpenWrt's end.

You could listen for RA (router advertisement) packets on your network. Run

sudo tcpdump -vvvv -ttt icmp6 and 'ip6[40] = 134'

(preferably from another device than the Pi-hole) and it should show you which device sent what.

You can check the captured data for the address you are looking for. Note that RAs may not be sent often and it is possible that you have to capture maybe even (up to) hours before every possible device in your network has sent at least one packet.


Look out for

rdnss option (25) ...

in the output of the command above.

Thanks for the tip. I ran the command overnight on my pi-hole (it's the only linux client on my LAN), and none of the entries that appeared had the problematic IP address appear in the rdnss option section. Unfortunately, running

ipconfig /all

on my desktop still includes my router's IPv6 address as the first entry in the list of DNS servers. For what it's worth, I already disabled all the RA options or forwarded them to my pi-hole (that I could find) from OpenWrt's web interface before I listened for IPv6 traffic on the pi-hole.

I seem to recall that tcpdump might pick the best fitting interface for recording. If you run it on the Pi-hole, it may be worth trying again explicitly stating that you want to listen on all possible interfaces (sorry for not including this already above). Try:

sudo tcpdump -i any -vvvv -ttt icmp6 and 'ip6[40] = 134'

Is this still true after a reset of the network connection? I'm not sure how you'd do this with Windows, but pulling the cable for a few seconds should do the trick.

I'll give your new command a try for a few hours, but I don't think the results should be any different since eth0 should be the only interface the pi-hole is using. I made a companion thread on OpenWrt's forums to troubleshoot this issue, and at this point I think both my router and my pi-hole are configured correctly and are working as expected, but Windows is still being stubborn in displaying DNS server entries that aren't current/correct/in use.

Here's the OpenWrt thread in case you want to take a look to better understand the symptoms I'm seeing, or maybe gain more familiarity with my network's topology: Unable to disable IPv6 DNS completely - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum

It also occurred to me that DHCP settings might not have any effect on my desktop since my desktop's LAN IP is statically assigned in the pi-hole outside of the pi-hole's DHCP range. My pi-hole might also experience similar issues since I also statically assigned the pi-hole an IP for itself in its web interface.

I think I gained some ground, my desktop's ipconfig /all is now displaying only 3 IPv6 DNS addresses, two of which are ULA addresses that route to my pi-hole, and one of which used to be my pi-hole's statically assigned IPv6 address that now throws a general failure error when I attempt to ping it.

The first pi-hole ULA address is defined in /etc/pihole/setupVars.conf and appears in the pi-hole's web interface as the Pi-hole IPv6 address. The second pi-hole ULA address uses a different prefix for some reason, but my clients are able communicate with the pi-hole using it. The third address is a stale entry for a previously routable IPv6 address that I used for my pi-hole when my ISP issued me an IPv6 address, but I don't have an IPv6 WAN address currently.

Do I need to do anything on the pi-hole to remove or statically assign the second ULA address, and is there a way for me to remove the stale IPv6 address for the pi-hole?

What does

ip a

show on your Pi-hole?

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether dc:a6:32:cd:ef:32 brd ff:ff:ff:ff:ff:ff
inet brd scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::dea6:32ff:fecd:ef32/64 scope link
valid_lft forever preferred_lft forever

I gave up on running a dual-stack LAN for now. My pi-hole is using DietPi for its distro, and as far as I can tell DietPi doesn't support persistent static IPv6 address assignments. I could probably give my pi-hole a persistent ULA if I configured my router to be my DHCP server instead of my pi-hole and fed my raspberry pi an IPv6 address via SLAAC, but I don't think it's worth the trouble of restructuring my entire LAN while my ISP isn't provisioning me with an IPv6 address anyway.

Just to clarify this point: Like every Debian or Raspbian your can easily assign static IPv6 network details on DietPi. dietpi-config network setup has no option for it, as SLAAC works in very most cases and it has hence nearly never been requested, but you can create your own /etc/network/interfaces or better e.g. /etc/network/interfaces.d/ipv6.conf (any filename works) to configure static IPv6 details or DHCPv6 or SLAAC explicitly for any network adapter.

The underlying default network config is done via ifupdown and its configuration file(s) /etc/network/interfaces(.d/), default on Debian and present+initialised on Raspbian as well. And of course any other network stack can be installed and configured.

On the matter of whether is worth it, especially when your ISP is not providing a static IPv6 address and/or you don't want to reach each network device directly without NAT from WAN, I don't see a need to bother with IPv6 in the LAN. SLAAC usually works fine to allow every device doing IPv6 requests to WAN and Pi-hole can resolve hostnames to IPv6 addresses while being contacted via IPv4: The DNS connection protocol version has nothing to do with the resolved IP protocol version, but I think this has been stated above already.

It won't.

Also, no amount of IP address configuration on the Pi-hole itself is going to affect your router's configuration.

If you cannot find a way to stop your router from advertising its IPv6 address as DNS server (either by disabling it or by configuring it to advertise Pi-hole's IPv6 instead, or by disabling IPv6 altogether), then your clients will have the ability to by-pass Pi-hole via IPv6 - provided your network has IPv6 connectivity.

Since it seems it doesn't, I wouldn't bother about making clients IPv6 aware and stick with IPv4 only.

1 Like

The scope of my questions/problems have kind of changed since I originally asked DL6ER about configuring my pi-hole to spit out IPv6 addresses. At this point I've determined that my router's configuration is working as expected (my router is not supplying DNS nor DHCP currently), and my extra DNS server entries were from when I was reconfiguring my network and alternating which devices were acting as my LAN's DHCP server.

Currently, my pi-hole is acting as my DNS and DHCP server for my LAN, and the devices on my LAN are only using IPv4 addresses handed out by my pi-hole since my ISP's WAN address is currently a v4 address. I don't think there's any problem with my current configuration, but it would probably be better if my pi-hole had a IPv6 ULA that it advertised as a DNS server address so that if my ISP gave me an IPv6 address again in the future I wouldn't have to worry about my pi-hole's efficacy being decreased due to a stale/invalid IPv6 configuration.

Whatever works is obviously a good solution for you. :wink:

Just note that the critical line from my advice is this:

It doesn't matter if Pi-hole would be configured to advertise its own IPv6 address as DNS server or not. As long as your router would continue to do the same with an alternate IPv6 address, your IPv6 clients will pick that up along with any other advertised DNS servers and then choose from all available options as they see fit.

Thanks for the tip. I created the config file you suggested at /etc/network/interfaces.d/ipv6.conf and successfully assigned my pi-hole a static IPv6 ULA. I'm going to mark your post as the solution since it was the last piece I needed to configure my dual stack LAN correctly, but everyone in this thread was very helpful in troubleshooting my network and teaching me about IPv6.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.