ipv6 disable on Pfsense
-
@lucas1 said in ipv6 disable on Pfsense:
Because in our local network is not used IPv6 and do not plan to introduce yet IPv6.
So, what does disabling it get you? As mentioned above, disabling it these days is a mistake as the world is moving to it.
Incidentally, while this has nothing to do with pfSense, if you're running Windows computers, IPv6 may already be in use. Some things won't work without it.
-
Don't enable IPv6 on your inside networks then.
If you don't want any IPv6 at all, do the same thing on your WAN(s).
-
@JKnott said in ipv6 disable on Pfsense:
IPv6 may already be in use. Some things won't work without it.
Sorry but this is just not true...
Because in our local network is not used IPv6 and do not plan to introduce yet IPv6.
This is actually the correct way to look at it... Until such time that they are ready to work with and control IPv6 correctly... It should be just turned off..
These days, IPv6 is the main network protocol - and IPv4 is the "tolerated while time lasts" protocol.
Yeah sorry not true... So 25% is the "main" protocol ;)
https://whynoipv6.com/
Out of the top 1000 Alexa sites, only 328 has IPv6 enabled, and 750 of them use nameservers with IPv6 enabled.
Of the total 902708 sites only 20.9% of them have IPv6.So only 21% of top 1000 sites are IPv6... Doesn't seem like majority protocol to me..
-
@johnpoz said in ipv6 disable on Pfsense:
Sorry but this is just not true...
Microsoft HomeGroup networking requires IPv6. It won't work without it. However, as it relies on link local addresses, pfSense wouldn't be involved. I believe some Microsoft games require IPv6 too, which is why Xbox supports Teredo, for use on networks that don't otherwise have IPv6.
Incidentally, last night I had a senior tech from my ISP at my home, to work on that IPv6 problem I mentioned a while ago. I saw he had Teredo enabled on his computer. I told him to get rid of it, as it can cause confusion when working on IPv6 problems, as he might be expected to do in his job. I also had to explain the difference between GUA and ULA addresses. It's real "fun" having to educate the support people about IPv6. I haven't talked to one yet that knows as much about IPv6 as I do.
They finally isolated the problem to the CMTS I'm connected to. I was trying to tell them that's where the problem was 2 months ago!.
-
Yeah the real barrier to IPv6 adoption is stupid ISP shenanigans.
Once people have the epiphany that you deal with the address space in /64 interfaces and not all those "wasted" host addresses things start clicking.
-
@Derelict said in ipv6 disable on Pfsense:
Yeah the real barrier to IPv6 adoption is stupid ISP shenanigans.
Once people have the epiphany that you deal with the address space in /64 interfaces and not all those "wasted" host addresses things start clicking.
I first noticed the problem back around New Years, when web pages were sluggish to load and my email app would time out, trying to send email. I discovered that IPv6 wasn't working, even though I had a prefix. I tried some testing, including pinging Yahoo, with Wireshark running between my modem and Firewall. I noticed if I pinged from pfSense, it worked, but not from anything behind it. That smelled like a prefix issue to me. I could see the correct prefix going out, but nothing at all coming back. Further, I made a capture when pfSense was booting up and found this little gem:
Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3'
Even though I had demonstrated to tier 2 support that the problem was at the CMTS, the network guys didn't want to work on the problem, because they don't work on problems on customer's networks!!! I got the office of the president involved, and a bit of testing, on 2 occasions, by the senior tech, before they finally opened a ticket on the CMTS problem.
One mistake that senior tech made, when I wasn't here, was he tried pinging the ULA (the cable modem provides both GUA and ULA prefixes) on his computer and claimed everything worked. When he was here on the 2nd visit, I had to explain what he was doing wrong. Even when talking to tier 2 support, I had to explain how the WAN address was not used for routing and more.
What made it more frustrating was I had done some work at 3 of this company's head ends a few months back and I could describe their setup to them and where I thought the problem was, yet those network guys wouldn't budge.
They need a lot more training and I pointed out some key points, in an email I sent.
-
@JKnott said in ipv6 disable on Pfsense:
Microsoft HomeGroup networking requires IPv6. It won't work without it.
You mean the thing that is not even a thing any more and was never actually a thing in the first place... That thing required IPv6 ;)
Only reason it did was MS said it did.. Sure didn't even transfer files from machine A to B via smb over IPv6, etc..
https://www.microsoft.com/en-us/windows/Windows-10-specifications#feature-deprecation
Home Group: HomeGroup is removed starting with the April 2018 Update, but you still have the ability to share printers, files, and folders. When you update to the April 2018 Update from an earlier version of Windows 10, you won’t see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (Settings > Update & Security > Troubleshoot). Any printers, files, and folders you shared using HomeGroup will continue to be shared. Instead of using HomeGroup, you can now share printers, files, and folders by using features that are built into Windows 10: -
@johnpoz said in ipv6 disable on Pfsense:
You mean the thing that is not even a thing any more and was never actually a thing in the first place... That thing required IPv6 ;)
Yep, that's it and I knew it was deprecated. It used IPv6 link local addresses exclusively. I've never used it though. I run Linux here.
-
And that thing that was never a thing that only worked on the same L2.. That Shit ;) hehehe
I am all for moving to IPv6... But I am with derelict the real thing that is holding is back is ISP nonsense non really having a clue how to deploy it.
And I am so all for user wanting to disable something they are not ready to use.. Its a security problem if its not managed correctly, its a management nightmare if your not ready for it.. Its just more noise on the network if your not going to correctly set it up and configure it.
Its just another pain/failure point in the network, etc. etc.
So the correct thing to do until such time as your ready to embrace it and deploy it correctly is turn it freaking OFF.. Just like turn off any other protocol/service your not actively using..
Billy the user having it on not knowing wtf any of it means doesn't help the world migrate too it.. Now when billy goes to his isp and says I have to have it, and you better freaking give me a correctly deployed /48 and it doesn't freaking change every other week. Then maybe we can get some real progress..
The thing driving that is going to be resources that require IPv6... Where is the game that doesn't let you play unless you have IPv6? Why do console games not correctly use IPv6 so we are not having to deal with my Xbox is strict nat, etc. ;)
Where is the streaming service that says hey if you hit on IPv6 its $X cheaper a month or you can get access extra special library of media, etc.
My isp doesn't even have it, why - because their user base doesn't care and sure don't need it.. And those that do want to play/use it can just freaking tunnel it.. I just looked as of "Total Subscribers of 800,100 as of June 30, 2018" So while they are not comcast, they are not some ma pop isp either.
-
@johnpoz said in ipv6 disable on Pfsense:
And I am so all for user wanting to disable something they are not ready to use.. Its a security problem if its not managed correctly, its a management nightmare if your not ready for it.. Its just more noise on the network if your not going to correctly set it up and configure it.
What could be a problem is stuff like Teredo, which is on by default, yet most people don't know about it. Turning off IPv6 in pfSense would do nothing about that. As I mentioned above, that senior tech didn't know about it and it was causing him confusion, because he didn't know what he was looking at.
One of the points I made in that email was that Teredo be disabled on the computers techs use.
-
Its quite possible that his box is using teredo - sure.. I would hope if he is asking about turning off in pfsense he looked into turning it off in windows..
Simple enough to do with single reg entry or gpo, etc.
-
@JKnott said in ipv6 disable on Pfsense:
One of the points I made in that email was that Teredo be disabled on the computers techs use.
Or give the techs "real" computers to use.
-
I started using IPv6 long before my ISP offered it by using a tunnel from HE. It was quite a few years ago. (I'm a big fan of HE. If I could use them as my ISP, I would.) At the time I was using Sophos UTM as my router/firewall. One thing Sophos UTM does very well is provide usage reports. Using the monthly reports, it was easy to see how much of the traffic on my network was IPv4 or IPv6. Often, there were monthly reports where the IPv6 usage was well over 50%. In some cases, well over 75%. It depends on what the usage is.
While it's true that no one "needs" IPv6, many websites and services offer it and if you have it, access will be over IPv6. IPv6 is the preferred protocol for web browsers and for Office 365. Microsoft has invested heavily in IPv6 and it's preferred protocol for many Windows and Windows Server operating system features.
IMO, the more people that use IPv6, the more IPSs will get the message that it's the way to go. I can see no reason whatsoever for anyone to not enable IPv6 if they can. Even if I still had to implement a tunnel, I would do so.
-
Right - but if you're not ready to deal with it it breaks stuff. Best thing to do in that case is, often, to turn it off until you're ready to deal with it.
Using a workstation that thinks it has IPv6 but doesn't is not a good experience.
-
@Derelict said in ipv6 disable on Pfsense:
Right - but if you're not ready to deal with it it breaks stuff. Best thing to do in that case is, often, to turn it off until you're ready to deal with it.
Using a workstation that thinks it has IPv6 but doesn't is not a good experience.
Maybe this is a sweeping generality, but I would hope that anyone who can set up pfsense (or something similar) and set up a tunnel should be able to determine if IPv6 is working properly or not.
Also, I agree that using a computer that thinks it has IPv6, but it doesn't isn't a good experience. I've experienced exactly that, but the other way around. A company I worked for did not "support" IPv6. As far as I know, IPv6 was "disabled" by the IT department using a third party security solution installed on the computer. As long as the computer was on a network that didn't support IPV6, it worked fine. As soon as it was connected to a network that had working IPv6, it got an IPv6 address, and the Office 365 applications (Outlook, Skype, etc.) used it, because that's what they're supposed to do. Of course, since IPv6 on the computer was broken, these applications didn't work properly. Every time they tried to go to the network, the request over IPv6 had to time out, so they basically ground to a halt. The only way this could be "fixed" was by disabling IPv6 in the network adapter. None of this would have happened if IPv6 was just allowed to work out of the box, the way it's supposed to.
-
@bimmerdriver said in ipv6 disable on Pfsense:
started using IPv6 long before my ISP offered it by using a tunnel from HE.
I also used a 6in4 tunnel, but not from HE.
Or give the techs "real" computers to use.
He had one of those rugged Panasonic computers, but it was running Windows. I find Linux is much better for working on networking issues.
-
In the properties of the interfaces IPv6 set in Pfsense "None".
I repeat,
this is interested in turning off:
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
2. And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
for example:
178.18.231.121
178.18.231.122
2a02:26f0:d8:394::356e
2a02:26f0:d8:3a2::356ehow is it most likely done by means FreeBSD 11?
Through rc.conf, loader.conf, sysctl I did not find how to do it or in other ways. -
@lucas1 said in ipv6 disable on Pfsense:
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
Why do you persist in that, if you are told multiple times now, that it simply isn't necessary?! It doesn't matter if the interface still outputs an inet6 with a fe80 link local address - if the general switch is off OR you didn't configure any IPv6 rules on an interface, all IPv6 traffic is blocked and ignored!
- And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
DNS is supposed to answer your request with what is configured in the DNS zone. If the domain has AAAA entries, those are shown. If your client has no IPv6 capable interface, it won't use them. If you're not sure your clients behave correctly you can also set the advanced option to prefer IPv4 over IPv6 when answering.
Otherwise I don't see the problem - an interface configured without IPv6 doesn't talk over IPv6. -
Just turn off get dns from dhcp and those go away.. Out of the box pfsense should be resolving anyway - you have zero need for any dns from your isp be it ipv4 or ipv6.
-
A good answer is just a little nervous start. -> ?!
Yes, I agree about resolution DNS in Diagnostics\Tables\Table and so what IPv6 traffic is blocked
and option to prefer IPv4 .But you yourself wrote - an interface configured without IPv6 doesn't talk over IPv6.
This action (interface configured without IPv6) immediately performs and replaces the necessary settings System\Advanced\Networking.
And in general, why should I not learn how to disable IPv6 in FreeBSD and/or PfSense? -
@johnpoz said in ipv6 disable on Pfsense:
So only 21% of top 1000 sites are IPv6... Doesn't seem like majority protocol to me..
Ok, very true, if you "isolate" your view to public stats, taken from 'public' routers.
When I wrote "the main network protocol" is was more thinking about all network traffic, thus also what's being used locally, on our LAN's - device to device, etc.
Example : when my ISP (Orange, France) starts to deploy 'IPv6' a whopping 30 million users will suddenly throwing out IPv6 traffic if a point-to-point connection can be made. -
@Gertjan Additionally, the graph from Google clearly states "among Google users". Not everyone (including border routers, servers, etc.) is a Google user ;) So ~23% from Google ist definitly lower than reality.
-
Here is the thing I work in the space... I just came out of discussion with up and coming security/sdwan company... 42 Pops globally, etc.. Asked them about their ipv6 support, if on their roadmap, etc..
Nope ;) Their solution arch stated they kind of waiting to see if anyone actually uses it ;) hehehehe
You guys can all dream about it all you want... I work in the biz... While there might be traffic... Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
But once you move those all to IPv6 - the rest of its going to be slow to come to the plate..
-
@johnpoz said in ipv6 disable on Pfsense:
Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
My cell phone is IPv6 only. It uses 464XLAT to handle IPv4.
BTW, more fun with my Internet connection (same company). I just found out that the guys who are supposed to fix this closed the ticket, because I have my own router/firewall!!! This is after a senior tech came to my home with another modem, in gateway mode, and it failed too! He also went back to the head end and tried 3 other CMTS, in addition to the one I'm connected to. It failed only on mine. Yet these Bozos are once again trying to blame pfSense, after their own senior tech proved otherwise and tier 2 support verified, back in January, that the problem was on the CMTS.
-
@JKnott said in ipv6 disable on Pfsense:
@johnpoz said in ipv6 disable on Pfsense:
Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
My cell phone is IPv6 only. It uses 464XLAT to handle IPv4.
BTW, more fun with my Internet connection (same company). I just found out that the guys who are supposed to fix this closed the ticket, because I have my own router/firewall!!! This is after a senior tech came to my home with another modem, in gateway mode, and it failed too! He also went back to the head end and tried 3 other CMTS, in addition to the one I'm connected to. It failed only on mine. Yet these Bozos are once again trying to blame pfSense, after their own senior tech proved otherwise and tier 2 support verified, back in January, that the problem was on the CMTS.
Some of my colleagues in Germany have an ISP that provides IPv4 over IPv6.
Sorry to hear about your ISP grief. What a PITA. FWIW, Telus has no issues at all with pfSense.
-
@johnpoz said in ipv6 disable on Pfsense:
Here is the thing I work in the space... I just came out of discussion with up and coming security/sdwan company... 42 Pops globally, etc.. Asked them about their ipv6 support, if on their roadmap, etc..
Nope ;) Their solution arch stated they kind of waiting to see if anyone actually uses it ;) hehehehe
You guys can all dream about it all you want... I work in the biz... While there might be traffic... Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
But once you move those all to IPv6 - the rest of its going to be slow to come to the plate..
They are waiting to see if anyone actually uses it? Seriously? If that wasn't a tongue in cheek comment, it's a demonstration of ignorance, not intelligence. Microsoft, as much as everyone likes to bash them, has embraced IPv6 since the Windows 7 era. Unless someone goes out of their way to disable IPv6, every PC running Windows 7 or newer is IPv6 ready out of the box. AFAIK, all new mobile phones support it and have so for several years. Macs support it. Many websites support IPv6, in particular a lot of high usage websites. The only reason IPv6 isn't the overwhelming majority protocol is because IPSs have dragged their asses to support it.
-
@bimmerdriver said in ipv6 disable on Pfsense:
FWIW, Telus has no issues at all with pfSense.
Rogers also works fine with pfSense. The issue is with the CMTS I'm connected to. The people who are responsible for fixing this don't seem to want to as I have my own firewall/router, despite the fact that it also fails in gateway mode, affects a neighbour and even when the senior tech came with his own modem and it also failed. Despite all that and much more, including getting the Office of the President involved, they won't fix it. I even identified the system that failed for them and the senior tech proved it again, when he went to the head end and tested there. Yet they still cancelled the ticket, without making any attempt to fix the problem. Someone is due for some serious disciplinary action.
-
@JKnott Start sending your payments to whatever amounts to your public utilities commission. At least that's how it works here.
Though cable/internet is a little nebulous as to exactly where they fall legislatively and it seems to change depending on wind direction here.
-
@bimmerdriver said in ipv6 disable on Pfsense:
Microsoft, as much as everyone likes to bash them, has embraced IPv6 since the Windows 7
Actually, XP SP3 almost fully supported it. There was some minor thing that didn't work, but it didn't have much effect overall. I know it worked fine for me. My first Android phone, a Google Nexus 1 also supported IPv6 and my current Pixel 2 even has IPv6 tethering, with a full /64 prefix.
-
The option to disable AAAA DNS requests would be nice due to the amount of junk AAAA traffic that is generated otherwise. For example, I have an Icinga service running on a Debian system that looks up clients by DNS name. It issues AAAA lookups for the main domain (which fail because no AAAA record exists) and then appends the default search domain (which also fails). These generate multiple
info: query response was NXDOMAIN ANSWER
andinfo: query response was THROWAWAY
log entries. Neither my ISP nor the ISPs at many of the locations being monitored provide IPv6. I could save the DNS servers the wasted bandwidth and my log files the wasted entries if I could just turn off AAAA record resolution.Along those lines, it is considerate not to hammer DNS providers with queries for things that don't exist.
https://www.theregister.com/2021/02/04/chromium_dns_traffic_drop/
-
@sorenstoutner said in ipv6 disable on Pfsense:
I could just turn off AAAA record resolution.
That should be done on the client.. Which is pretty much impossible even when they don't have ipv6 enabled.. They will still do query for AAAA, pretty stupid if you ask me..
You can stop unbound fro resolving them - but where you should be able to turn it off is the client.
https://forum.netgate.com/topic/151745/bind-filter-aaaa
I thought there was even a newer thread - but that is the first one that came up searching..
There is a no-aaaa.py you can load right in the gui for specific domains, maybe the script could be edited for any AAAA, and I know pfblocker is doing something with AAAA as of recent updates.
If you run bind you can run the no AAAA
edit: Took me a minute to remember it.. But you can use this in the options box in unbound
server:
private-address: ::/0unbound still will try to resolve AAAA, but client will not get an answer. So not really the best solution.. Best solution is to get your client to stop asking for AAAA when they can not use them ;) Which if you know of way - happy to hear about it.. Not a fan of that at all - its just noise..
People think - oh its just a simple query, what could it hurt... Well your link to the chrome nonsense they finally fixed is perfect example of what it can hurt..
Related to noise - I am hoping I finally got my phone from constantly asking for stupid lb._dns-sd._udp.blahblah queries.. 100's of them, multiple different iterations.. Was like 2000 some queries a day... I knew it was some app on my phone - but sure which one.. Turned off all the background refresh on everything that I don't specific want.. And they stopped ;)
2000 in 24, not big deal.. But it would forward those to unbound.. I never looked but unbound prob trying to resolve them.. Just stupid noise - no need for it... If you want to look for something - sure ask, but if you don't get the answer you want.. Don't keep asking every 30 freaking seconds ;)
-
That should be done on the client.. Which is pretty much impossible even when they don't have ipv6 enabled.. They will still do query for AAAA, pretty stupid if you ask me..
I completely agree. However, it appears that there is no way to do this system-wide on modern Linux.
https://serverfault.com/questions/632665/how-to-disable-aaaa-lookups
The only way to accomplish this is to replace all instances of
gethostbyname()
withgetaddrinfo()
in the source code of every single program and then specify theai_family
isAF_INET
.Thanks for the link to the python script. it just seems like this is a lot of work for something where there should be a simple option at the client OS level, and, failing that, there should be a checkbox on the DNS Resolver page to turn it off. For example, if I don't have an IPv6 address on my client, it shouldn't make AAAA queries. And, if I have disabled IPv6 on pfSense, it should also not forward AAAA queries.
-
Preaching to the choir my brother - sing it ;)
Maybe you missed my edit ;) I hate freaking NOISE!! AAAA queries when you have no IPv6 are NOISE.. Just like freaking windows and their hunger to flood your network with SSDP, and LLMNR.. If I want that shit - let me turn it on ;)
The no-aaaa.py will stop unbound from doing the query.. But I have not looked into an edit to do it for all AAAA.. Might be simple - maybe take a look later. The simple way to just stop your client from getting an answer is with the private-address. But that prob won't stop him from asking and asking and asking.. Like freaking energizer bunnies - dude what about the 10k no answer you got, how about backing of your asking for it...
Dude now you got me started ;) hehehehe
edit: Yeah what they should work, since they got rid of 80Billion queries that were NOISE.. Now how about stopping asking for AAAA when you have no IPv6... I concur unbound shouldn't process them if it has no IPv6 address. Or a simple flag to just turn them off - the filter AAAA in bind does that I believe.
But still doesn't stop all the local noise to local NS when clients keep asking for shit they can not ever use..
-
@johnpoz said in ipv6 disable on Pfsense:
Might be simple - maybe take a look later.
I'll check this weekend. It's probably an easy fix.
https://unix.stackexchange.com/questions/444282/how-to-disable-ip6-lookups-in-unbound
@johnpoz said in ipv6 disable on Pfsense:
about stopping asking for AAAA
If a process on some LAN based client asks the local resolver, unbound, to look up a A, unbound will look up the A. Same thing for MX, or AAAA.
All this over IPv4.
It might be wise (but probably impossible) to instruct the software we use on our devices to stop asking for AAAA. After all, why asking for a AAAA if IPv6isn't enabled on the device ? or the network doesn't offer IPv6 capabilities ?
Unbound is just doing what it's asked to do, amplifying the noise.edit : what the heck : this might be easy :
I wrote a new no-aaaa-v2.py version, by only pressing on the delete key.
This is it :
def init(id, cfg): return True def deinit(id): return True def inform_super(id, qstate, superqstate, qdata): return True def operate(id, event, qstate, qdata): if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS: if qstate.qinfo.qtype != RR_TYPE_AAAA: qstate.ext_state[id] = MODULE_WAIT_MODULE return True msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA) if not msg.set_return_msg(qstate): qstate.ext_state[id] = MODULE_ERROR return True qstate.return_msg.rep.security = 2 qstate.return_rcode = RCODE_NOERROR qstate.ext_state[id] = MODULE_FINISHED log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str) return True if event == MODULE_EVENT_MODDONE: qstate.ext_state[id] = MODULE_FINISHED return True qstate.ext_state[id] = MODULE_ERROR return True log_info("pythonmod: no-aaaa-v2.py script loaded")
World's smallest py module for unbound.
Copy it here : /var/unbound/no-aaaa-v2.py
Select it under the resolver settings :
And apply the new settings.
Check that your resolver logs are filled withMy network is IPv6 capable, so hundreds of logs lines per minute were shown.
New noise ^^ - to remove all these log lines, remove :log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str)
from the script.
Take note :
When you use no-aaaa-v2.py, you can't use the pfBlockerng-devel py module .
I tested this for 5 minutes or so, and fully confined that there are no bugs, as I only removed lines. I didn't add something. ;) -
That seems like a great work around, since yeah its impossible to get the clients to stop asking for it.. Stop it before it goes past your local dns..
If this was done everywhere IPv6 is not in use yet, how many more billions of queries could we stop from going to public dns.. Doesn't stop queries to roots, but would stop AAAA noise to all the authoritative NSs for domainX
And would reduce your overall dns traffic out your internet, be it you resolve or forward.
My PC currently has no IPv6, not even a link-local address.. So why and the F is he asking for AAAA ;)
There is no point to this.. None.. That is what we should be able to turn off..
To stop this - it wouldn't have to be coded in every application. Just the OS dns client, hey I don't have IPv6 address.. No need to ask the NS for AAAA, so noise reduced.. Even if the application asked for it..
edit: Ok to take this to the next level with your V2 of the no-aaaa.py. How do we allow clients that actually have IPv6 to query for AAAA, but clients that do not.. Some sort of filtering of which Clients can ask, this could be done in a view maybe.. This would be good for me where I do have some clients that do have IPv6, and would want to be able to query AAAA, but then many other devices that have no IPv6 that wouldn't want their AAAA to go upstream..
You can not always be sure that NS would be talked to over IPv6, when you have a dual stack client and it has both an IPv4 and IPv6 NS listed.. A IPv6 client could ask for AAAA that it could use from its IPv4 address. Guess you could allow those clients IPv4, and all queries that come in from IPv6 addresses.
edit2: Some clients do it correctly.. Just looked at like my TV, and my Alexa show - with 100's and 100's of queries from them.. I don't see any AAAA queries.. They don't have IPv6.. So seems they are not asking for AAAA.. Which is how it should be.
My thermostat does seem to ask for some AAAA, but only for some internet/dns check its doing for www.google.com.. But it looks to be done only every 6 hours.. My harmony also with no IPv6 doesn't seem to be asking for AAAA.. Possible the devices that are not asking for AAAA have no support for IPv6, at all.. But pretty sure alexa and roku do support IPv6..
-
@johnpoz said in ipv6 disable on Pfsense:
edit: Ok to take this to the next level with your V2 of the no-aaaa.py. How do we allow clients that actually have IPv6 to query for AAAA, but clients that do not.. Some sort of filtering of which Clients can ask, this could be done in a view maybe..
You're want "v3" which should behave very much like the original no_aaaa version.
Instead of a list with domains that should only be accessed using "A" = IPv4, you want an IP list with local devices/networks for which unbound is allowed to do a AAAA requests.
I'll have a shot at it. -
Yeah... This way for example you could list which devices be them IPv4 or IPv6 that can do AAAA queries. you would have to list IPv4 as well as their IPv6 be it global or link-local. Since you really can not be sure what source IP the client might use to talk to NS.. Unless you specifically set a device that has IPv6 to only list IPv6 address for their NS..
If your going to be using IPv6.. Easier to just live with the noise of devices that don't have it asking for AAAA.. But the ability to do such filtering if you wanted to would be pretty slick ;)
-
Looking at the logs on my Pi-Hole I see my LG TV and Plex (hosted on a synology NAS) asking for AAAA records. In context both of them do it after they fail to resolve an A record that is blocked. This is intentional behavior to find a way to 'phone home'. I have ipv6 support turned off in the Plex server settings and in the TV settings.
As stated, it would be best if clients without an ipv6 globally routed address would not even ask.
-
@jwj said in ipv6 disable on Pfsense:
my LG TV
Hmmm So I looked in more detail to my TCL TV (roku based).. And even shit it asks for that is blocked.. Which is quite a bit ;)
I don't see it asking for any AAAA..
Yeah plex asks for it. And so does NAS - but no IPv6 there at all.. Just stupid.. Like asking for chopsticks to drink your beer with..
And if that chrome article about their stupid dns queries shows us anything - the mentality of oh its a just a simple small little thing, couple of bits here, couple of bits there. In the big picture multiplied by millions or billions of devices doing it.. Its not such a little thing any more..
Even locally this can be a problem - stupid windows boxes and their VAST amount of nonsense noise they put out.. Yeah its not a big deal when you have a few of them.. But when you have say 200 of them on the same L2 - it works out to be a lot of freaking noise on the wire.. That serves no purpose!!
-
Have you also attempted to custom option in unbound.conf for DNS responses I have an ISP that only provides IPv4 I do not want to use HE tunnel.
"*do-ip4: <yes or no> Enable or disable whether ip4 queries are answered or issued. Default is yes. do-ip6: <yes or no> Enable or disable whether ip6 queries are answered or issued. Default is yes. If disabled, queries are not answered on IPv6, and queries are not sent on IPv6 to the internet nameservers. With this option you can disable the IPv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. prefer-ip4: <yes or no> If enabled, prefer IPv4 transport for sending DNS queries to in- ternet nameservers. Default is no. Useful if the IPv6 netblock the server has, the entire /64 of that is not owned by one oper- ator and the reputation of the netblock /64 is an issue, using IPv4 then uses the IPv4 filters that the upstream servers have. prefer-ip6: <yes or no> If enabled, prefer IPv6 transport for sending DNS queries to in- ternet nameservers. Default is no. do-udp: <yes or no> Enable or disable whether UDP queries are answered or issued. Default is yes. do-tcp: <yes or no> Enable or disable whether TCP queries are answered or issued. Default is yes*" (nlnetlabs nl).
add server: first to let me add anymore lines after. Just like when you enable logging
"Logging:
server:
log-queries: yes" (Docs Netgate).Same needs server: first
"dns64-ignore-aaaa: <domain name>
List domain for which the AAAA records are ignored and the A record is used by DNS64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given" (unbound docs).So for me ipv4 prefer and other custom options. . .
server:
do-ip4: yes
prefer-ip4: yes
do-ip6: no
prefer-ip6: no
dns64-ignore-aaaa: * . *Ref:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns-queries.htmlhttps://nlnetlabs.nl/documentation/unbound/unbound.conf/
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html