DHCP6 & Dynamic WAN IPv6 RA Blocks; Keeping Track of Internal DNS Servers
-
I'm trying to figure out the best way to keep track of my internal Active Directory DNS servers when my WAN is subject to IPv6 PD block changes. Comcast issues me a /64 prefix delegation, which I've sub-delegated to the networks I need to assign IPv6 blocks to. The easy part with pfSense DHCP6 is issuing "static" suffixes to UUIDs - so I at least know which domain controller is requesting a DHCP6 address.
However the hard part is keeping track of the PD itself when setting DHCP6 DNS servers in the per-interface scope configuration. The goal is if I already know my DCs are going to retain ::2001 and ::2002 suffixes, then for whatever PD is assigned to that network, the complete IPv6 address should look like 0000:1111:2222:3333::2001.
Unfortunately, in DHCP6 DNS scope options, I can't use ::2001 as the shorthand for "whatever the PD in this network is, append ::2001 to it". DHCP6 will send "::2001" as the DNS server, and not the complete PD prefix + suffix. I have to hard-set the full IPv6 address. That only works until the PD changes.
I thought about leaving DHCP6 DNS scope options blank and letting pfSense use DNS Forwarders. However those can only be hard-set IPs. Aliases are't an option in System -> General Setup.
What's the best practice here? The best I know I can do is to run a script on one of my DCs every day or so to detect if its partner DC is no longer pingable at its IPv6 DNS address, then throw me an email to update pfSense's DHCP6. It's .. really inefficient.
-
One of the many many reasons PD is not a good idea for SERVERS of any sort... its fine for dynamic clients.. But you don't setup servers where their IPs can just change, and not just at a host level, the whole freaking network prefix can change... Just not a viable sort of solution.
Get your own IPv6 prefixes and have them routed to you, or use a HE tunnel where you will have a static /48 to work with.. Can your ISP not just assign you a /48 that is yours and routed to you? If your on consumer connection prob not - but have to assume if your on business connection they can statically assign you a larger prefix for your use..
-
@ttmcmurry said in DHCP6 & Dynamic WAN IPv6 RA Blocks; Keeping Track of Internal DNS Servers:
WAN is subject to IPv6 PD block changes.
Do you have Do not allow PD/Address release on the WAN tab checked? That should prevent your prefix from changing.
-
That will stop pfsense from sending release.. Does not mean will prevent a change if the ISP changes it because the wind blows tmrw.
-
@johnpoz said in DHCP6 & Dynamic WAN IPv6 RA Blocks; Keeping Track of Internal DNS Servers:
Does not mean will prevent a change if the ISP changes it because the wind blows tmrw.
I know it won't do anything about incompetent ISPs. However, IIRC, it's not selected by default. I had to turn it on, after it became available.
-
Good Point - it sure can not hurt in trying to keeping the same prefix. I would think it should really be default..
-
@johnpoz said in DHCP6 & Dynamic WAN IPv6 RA Blocks; Keeping Track of Internal DNS Servers:
Good Point - it sure can not hurt in trying to keeping the same prefix. I would think it should really be default..
My thoughts too. Before it was available, just disconnecting/reconnecting my WAN cable was all it took to get a new prefix.
-
Yes, JKnott, I do have "do not allow PD Address release" checked. And you're right, there is no control over what the ISP will actually do. I think the addresses had been the same for about 2 months but it seems like a power cycle of the modem is what triggered the IP change. pfSense had little control over it.
I'm actually on the phone with Comcast Xfinity now, it's taken 1h22m to get to a supervisor. Seems I've been talking a foreign language to both reps I've talked to so far. How hard is it to get a static /60 - /48 on an account? :) I'm currently finding out. It's not like I'm asking for a static IPv4, I'm not even bothering with that.
...and after the call, Comcast Xfinity confirmed they still don't hand out/sell IPv6 blocks to Residential customers. So it is what it is.
Would it be a fair (acceptable?) compromise to only run DNS lookups over IPv4? It looks like if I reorder my IPv4 DNS servers System -> General to place my DCs IPv4 addresses at the top of the list (with no outside interface assigned to it), then remove the RA & DHCPv6 DNS servers - the pfSense DHCPv6 server will assign out its own IPv6 per-interface address as a DNS server, and proxy the replies from the servers, in sequence, from Settings -> General. Seems to do away with the need for a DNS forwarder, which also seems to be IPv6-dependent (i.e. only take IPv6 addresses).
