DNS Block and Redirect for IPv6

johnpoz

@aGeekhere - my point is that statement about the depending on the client - a sane client will validate the cert given back. If its not valid it won't work. One of the major points of both doh and dot is validation that your talking to who you think you are talking to - a dot client that doesn't validate the cert is utter shit.. what would use a shit client that doesn't validate the cert?

If you are getting a reject - points to unbound ACL not allowing the query.

Forget the dot redirect for a moment - and do a simple dig or nslookup query to pfsense IPv6, and then to some other IPv6 - do you get an answer when direct to ipv6 IP of pfsense, and then a reject on the redirect?

Gertjan

@aGeekhere said in DNS Block and Redirect for IPv6:

did i make an error or is it a bug?

I've tried to do the same thing as you : NAT IPv6 DNS traffic to "::1".
Guess what : for the usual reasons I could't make it work neither.
Reading this wasn't motivating :

Anyway.

On my LAN, I added a IPv6 DNS NAT, NOT using "::1" , but the pfSense LAN IPv6.

which produced this LAN firewall rule :

Take note of the second rule that blocks all DNS IPv6 traffic.

Test on the console/ssh :

[25.07-RC][root@pfSense.brit-hotel-fumel.net]/root: dig @2001:4860:4860::8888 test-domaine.fr AAAA +short
2001:41d0:2:927b::15

( means : I ask Google's IPv6 DNS, 2001:4860:4860::8888 to resolve test-domaine.fr for AAAA )
That worked out.

Now, from my PC :

C:\Users\Gauche>nslookup
Serveur par defaut :   pfSense.bhf.tld
Address:  2a01:cb19:abcd:a6e2:92ec:77ff:fe29:392c
> server 2001:4860:4860::8888
Serveur par defaut :   dns.google
Address:  2001:4860:4860::8888

> test-domaine.fr
Serveur :   dns.google
Address:  2001:4860:4860::8888

Réponse ne faisant pas autorité :
Nom :    test-domaine.fr
Addresses:  2001:41d0:2:927b::15
          5.196.43.182

I asked nslookup to use "2001:4860:4860::8888" as the DNS server which is Google IPv6 DNS (the modern 8.8.8.8).

So .. I'm not sure. Redirecting to ::1 didn't worked.
When I redirect to the pfSense IPv6 LAN IP ( 2a01:cb19:abcd:a6e2:92ec:77ff:fe29:392c ), it worked.
So, we can't redirect to ::1 ?
Ok, so be it.

aGeekhere

@johnpoz Here is some output

Both block 1 and 2 which is ipv4 seems to be working correctly as per the doc

Block 3 and 4 which is ipv6 does not look correct

Unless i have not understood the doc or missed something.

Update:
@Gertjan Ah so you were able to recreate the issue, could this be a bug?

Gertjan

@aGeekhere said in DNS Block and Redirect for IPv6:

Ah so you were able to recreate the issue, could this be a bug?

Maybe, maybe not .. not sure. read above, as I got it working by not using ::1.

@johnpoz I wasn't even trying to use 853 is DNS over TLS, as I can't map out that rabbit hole right now ......
Just good old plain port 53 DNS UDP and TCP.

aGeekhere

@Gertjan Because if you read here https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

It uses 127.0.0.1 as the ipv4 loopback address so i would have though that for ipv6 you would use ::1 as the loop back address. If ::1 does not work what can be used for a loop back address for ipv6?

Gertjan

@aGeekhere said in DNS Block and Redirect for IPv6:

what can be used

See above :

@Gertjan said in DNS Block and Redirect for IPv6:

When I redirect to the pfSense IPv6 LAN IP ( 2a01:cb19:abcd:a6e2:92ec:77ff:fe29:392c ), it worked.

aGeekhere

@Gertjan Ok going to try switching it from ::1 to pfsense LAN ipv6 address. Will report back with results.

Update: More testing is needed but i think that worked.

johnpoz

@aGeekhere might be related to having to be the same scope

Gertjan

@johnpoz

That's the same image / conclusion I posted above ^^

But I'm not using link-local "fe80" stuff.
I can see the IPv6 DNS port 53 traffic using packet capturing.
It's the IPv6 GUA = the ddevice's LAN IPv6 being used.

Anyway, redirecting to ::1 is not what worked before like using 127.0.0.1. ...

Maybe I'll use AI for this one

johnpoz

@Gertjan oh I missed that - my bad.