IPv6 and Pi-Hole DNS Question

shaunmccloud

Hello,

I have IPv6 through a PD from my ISP, works great. I also have a Pi-Hole setup with a reserved IPv6 address. It also works great. The one thing I cannot get working right now is getting pfSense to query the Pi-Hole box for IPv6 queries without putting in its full IPv6 address. Not a problem right now, but it could be an issue at some point in the future because I may not always get the /56 PD from my ISP. My DHCPv6 reservation is the DUID and the IPv6 address is "::8722:a80f:d78d:17". Do I just need to enter that in the DNS server address for it work? So far it doesn't seem to be.

johnpoz

@shaunmccloud said in IPv6 and Pi-Hole DNS Question:

without putting in its full IPv6 address

Why would you think you don't need to put in a full IP address? if I want to query 8.8.8.8 for dns, I can't just use 8.8

you want to query prefix:8722:a80f:d78d:17? why would you think pfsense should autofill in a prefix of some IP.. What if its not on the same network?

artenpie

@shaunmccloud
Yeah, the ISP's delegated prefix can change - it's a pain sometimes. Instead, I use DHCPv6 to allocate ULA's (which don't depend on the ISP's delegated prefix). If you're interested, here's what I did for my PiHole.

Using the DHCPv6 server, set up a ULA prefix delegation for your LAN, say fd01:2345:ef01:2345:: / 64 (use the same prefix in both the 'from' and the 'to' boxes). Then under Firewall, give the LAN port a VIP (virtual IP) alias of fd01:2345:ef01:2345::1 / 64. (You may need to reboot to get these to stick.) Then see what ULA your Pi uses (SSH in and enter 'ifconfig' - you'll see an address that starts with that fd01... prefix). Enter that full address as the static v6 address in the Pi's /etc/dhcpcd.conf, and also enter it as the DNS server address in pfSense's DHCPv6 server (provided to clients). It also can't hurt to run 'pihole -r' on your pi, and go through the setup again to make sure it spots the ULA as your IPv6 static address.

If you have more than one LAN port (OPT1, OPT2, etc), you'll want to set them up with ULA's of their own (including their own VIPs). And if you have multiple ports, in the PiHole's DNS settings tab, tell it to respond only to the physical interface (ethernet or wifi) that you use on the Pi. (If you tell it to only allow local requests, it won't respond to client requests from a different port on the router.) There is a patch for 2.7.2 to make ULA routing work between multiple LAN ports - see https://forum.netgate.com/topic/184867/ula-routing-broke-after-2-7-2-update/29 (This patch is also scheduled to be included in 2.8.) Also note, when you do a pihole -r, it will reset PiHole to respond only to local requests, so you'll want to check that setting if your router has multiple LAN ports.

Then on your clients, check that the Pi's ULA is being picked up as the IPv6 DNS server (e.g., "ipconfig /all" in Windows). And try pinging it ("ping -6 fd01..." in Windows) to make sure you've got connectivity. My clients send their DNS queries directly to my PiHole, and I point my PiHole directly at Quad9, and I have never had an issue.