pfsense DNS resolver not registering IPv6 addresses

Peek · Sep 6, 2019, 5:34 AM

IPv6 clients are not registering within the pfsense DNS Resolver.

IPv4 clients though, is registering correctly.

Implementing DHCPv6, clients successfully obtaining IPv6 configuration information, yet is still not being registered in the DNS resolver.

Is the only options to either

1 - Setup a full blown DYNDNS BIND server or
2 - Capture each device's HostName/IPv6 info within the Host Overrides of the DNS Resolver ?

Gertjan · Sep 6, 2019, 6:58 AM

@Peek said in pfsense DNS resolver not registering IPv6 addresses:

Setup a full blown DYNDNS BIND server or

What has DynDNS to do with IPv6 ?
As a resolver, bind and unbound doing the same job. Both are IPv6 'ready'.

This is just a setup question.

@Peek said in pfsense DNS resolver not registering IPv6 addresses:

2 - Capture each device's HostName/IPv6 info within the Host Overrides of the DNS Resolver ?

You checked ?

Normally, my known devices on my networks have Static DHCP IP4 and IPv6 leases.
This way I control the hostname, and unbound doesn't get kicked around when a new lease comes in.

I can ping Ipv6 hostnames just fine on my LAN - pfSense is resolving them.

C:\Users\Réception-Gauche>nslookup
Serveur par dÚfaut : pfsense.brit-hotel-fumel.net
Address: 2001:470:1f13:5c0:2::1

> diskstation2
Serveur :   pfsense.brit-hotel-fumel.net
Address:  2001:470:1f13:5c0:2::1

Nom :    diskstation2.brit-hotel-fumel.net
Addresses:  2001:470:1f13:5c0:2::c2
          192.168.1.33

>

but again, I use

Peek · Sep 9, 2019, 2:16 AM

@Gertjan, the question relates to automatic name resolution of IPv6 addresses. If it is only a setup issue, please do advise where I'm missing the point.

However, am I thus correct that you can only resolve IPv6 addresses if they'd been statically registered ?

If so, that is the issue I wish to circumvent as I have multiple interfaces on the same device of which the device can be contacted on one or the other, depending on the circumstances at the time. (i.e. WiFi or eth0 or eth1)

However, by checking the "Enable registration of DHCP client names in DNS" as seen under Services > DHCPv6 Server & RA > LAN > DHCPv6 Server, a

Dynamic DNS domain
Dynamic DNS server IP (i.e. BIND server) and
Dynamic DNS Domain Key name (authorization as to allow writing the updated records)

has to be specified. Thus the reasoning on querying option 1 : " Setup a full blown DYNDNS BIND server" as to support the dynamic registration of IPV6 addresses leased to interfaces.

Therefore, UNchecking "Enable registration of DHCP client names in DNS" and reverting to "Host Overrides" under Services > DNS Resolver > General Settings does not allow manually specifying more than 1 (ONE) IPv6 address to a particular Hostname.

If it is possible to specify more than one IP address per Host, although quite tedious in managing newly added devices, it would at least allow ongoing management of new devices once setup regardless as to how they'd connect?

Thus querying "option 2 - Capture each device's HostName/IPv6 info within the Host Overrides of the DNS Resolver ?"

Yet neither the DNS Resolver (UNBOUND) nor IPv6 DHCP server on pfsense allow for specifying more than one IPv6 address to a particular host.

... or am I just missing something benign ?

Gertjan · Sep 9, 2019, 7:45 AM

First of all : forget about :
@Peek said in pfsense DNS resolver not registering IPv6 addresses:

"Enable registration of DHCP client names in DNS"

I re checked what I said above, and it seems now that that was pure bllsht.
The "Enable registration of DHCP client names in DNS" is part of the advanced section of Dynamic DNS.

In my /etc/hosts file are all my devices, also those who ave an IPv6 :

........
192.168.2.2	WRT54GL.local WRT54GL
192.168.2.3	WRT54GSV4.local WRT54GSV4
192.168.2.4	WRT54GSv1-0.local WRT54GSv1-0
2001:477:1e13:5b0:2::ca	Bureau2.pfsense-local.net Bureau2
2001:477:1e13:5b0:2::d5	iPhone-5S-Gertjan.pfsense-local.net iPhone-5S-Gertjan
2001:477:1e13:5b0:2::cb	iPhone5SNiki.pfsense-local.net iPhone5SNiki
2001:477:1e13:5b0:2::f0	oli254.pfsense-local.net oli254
2001:477:1e13:5b0:2::cc	EPACKFERPAR22.pfsense-local.net EPACKFERPAR22
2001:477:1e13:5b0:2::c7	Droite.pfsense-local.net Droite
2001:477:1e13:5b0:2::c3	DiskStation.pfsense-local.net DiskStation
2001:477:1e13:5b0:2::c8	PowerEdgeT310.pfsense-local.net PowerEdgeT310
2001:477:1e13:5b0:2::f8	kma98fa5.pfsense-local.net kma98fa5
2001:477:1e13:5b0:2::c6	Gauche.pfsense-local.net Gauche
2001:477:1e13:5b0:2::c9	bureau.pfsense-local.net bureau
2001:477:1e13:5b0:2::c4	Tactile1.pfsense-local.net Tactile1
2001:477:1e13:5b0:2::c5	Tactile2.pfsense-local.net Tactile2
2001:477:1e13:5b0:2::d6	iPhone-7-Gertjan.pfsense-local.net iPhone-7-Gertjan
2001:477:1e13:5b0:2::c2	DiskStation2.pfsense-local.net DiskStation2
10.10.10.1	pfb.pfsense-local.net pfb
192.168.2.1	portal.pfsense-local.net portal

All I did was setting up static "MAC' leases for DHCP and DHCP6.

jimp · Sep 9, 2019, 5:47 PM

DHCPv6 doesn't put hostnames in the leases, so they can't be scraped for resolution like they can from DHCPv4. I can't recall if that's a limit of the ISC DHCP server or the actual DHCPv6 protocol, however.

Static mapping hostnames work fine, though.

Peek · Sep 9, 2019, 10:41 PM

@jimp If static mappings is the only way forward, is static mappings also limited to only 1 address per hostname entry ?

Derelict · Sep 10, 2019, 2:33 AM

What, exactly, are you trying to accomplish?

If you have multiple AAAA records for a specific hostname which one should be returned when queried? All of them? One of them? Round robin?

Generally, when a connection has to be made to an address, there is one AAAA record pointing to a server address on that host. Just like IPv4 there might be one GUA and one ULA for split DNS. Nothing really changes.

If you want reverse lookups then yeah you can have multiple addresses resolve to the same hostname no problem. Not sure you are going to get them all put into DNS that way though.

Keep in mind that only DHCP addresses have a prayer of going into DNS. SLAAC addresses (including the random/privacy addresses clients can use to make connections) will not, unless the client itself does it into dynamic DNS or something.

And if you completely disable SLAAC (Managed interface on pfSense), some clients, notably android, will be unable to connect IPv6 since they do not have a DHCP6 client.

So what exactly is the problem you are trying to solve?

JKnott · Sep 10, 2019, 11:46 AM

@Derelict said in pfsense DNS resolver not registering IPv6 addresses:

If you have multiple AAAA records for a specific hostname which one should be returned when queried? All of them? One of them? Round robin?

The only one you would use is the consistent one. There's no point in using the privacy addresses, as you could have as many as 7 of them and you get a new one every day.

Peek · Sep 10, 2019, 11:00 PM

@Derelict said in pfsense DNS resolver not registering IPv6 addresses:

What, exactly, are you trying to accomplish?

To contact a device by hostname on whatever IPv6 interface is live.

Peek · Sep 11, 2019, 1:55 AM

@JKnott said in pfsense DNS resolver not registering IPv6 addresses:

If you have multiple AAAA records for a specific hostname which one should be returned when queried? All of them? One of them? Round robin?

Only the management address of whatever adapter is connected (or live). Not interested in the private addresses, nor is there any need therefore.

As to clarify, if a device has a Wifi and Ethernet adapter, how to contact the device (via it's hostname) depending on whether it's connected to the WiFi or the cabled LAN via IPv6?

If both WiFi and cabled LAN is active, either address is fine as reach-ability is the main concern.

JKnott · Sep 11, 2019, 1:55 AM

@Peek said in pfsense DNS resolver not registering IPv6 addresses:

As to clarify, if a device has a Wifi and Ethernet adapter, how to contact the device (via it's hostname) depending on whether it's connected to the WiFi or the cabled LAN via IPv6?
If both WiFi and cabled LAN is active, either address is fine as reach-ability is the main concern.

If the device is running Linux, use the WiFi address. If connected via Ethernet, the WiFi address is still reachable. This does not work with Windows. So, with my notebook computer, running Linux, I have the DNS configured to point to my WiFi address, not Ethernet.

Peek · Sep 18, 2019, 1:54 PM

@JKnott unfortunately, in this scenario, it's a case of OR.

It's only the WiFi OR only the ETH connection that is available at a particular point in time.

JKnott · Sep 18, 2019, 2:20 PM

@Peek

Are you running Windows or LInux? If Linux (and probably Mac) the wireless address will be available, even when connected via Ethernet, so long as the WiFi is connected. Here are the addresses on my notebook computer. I used ssh to the Wifi host name, even though connected via Ethernet.

ip add sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether f0f1:8c:dc:99 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.42/24 brd 172.16.0.255 scope global noprefixroute dynamic eth0
valid_lft 7109sec preferred_lft 7109sec
inet6 2607:fea8:abcdfce1:bab3:d72b:5b44/64 scope global temporary dynamic
valid_lft 86395sec preferred_lft 14395sec
inet6 2607:fea8abcd:1234:8c2a:acb8:36ef:2f50/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86395sec preferred_lft 14395sec
inet6 fd48:1a37:2160:0:fce1:bab3:d72b:5b44/64 scope global temporary dynamic
valid_lft 86395sec preferred_lft 14395sec
inet6 fd48:1a37:2160:0:a618:10a9:f627:3809/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86395sec preferred_lft 14395sec
inet6 fe80::d9ea:e6bf:8fa8:7be2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 38:59:f9:e0:7d:5d brd ff:ff:ff:ff:ff:ff
inet 172.16.0.40/24 brd 172.16.0.255 scope global noprefixroute dynamic wlan0
valid_lft 7112sec preferred_lft 7112sec
inet6 2607:fea8:abcd3007:aae5:1d5c:a340/64 scope global temporary dynamic
valid_lft 86340sec preferred_lft 14340sec
inet6 2607:fea8:abcd3a59:f9ff:fee0:7d5d/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86340sec preferred_lft 14340sec
inet6 fd48:1a37:2160:0:3007:aae5:1d5c:a340/64 scope global temporary dynamic
valid_lft 86340sec preferred_lft 14340sec
inet6 fd48:1a37:2160:0:3a59:f9ff:fee0:7d5d/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86340sec preferred_lft 14340sec
inet6 fe80::3a59:f9ff:fee0:7d5d/64 scope link noprefixroute
valid_lft forever preferred_lft forever

As you can see, both interfaces have addresses, though I'm connected via Ethernet.

BTW, public addresses have been changed to protect the guilty.

Peek · Sep 19, 2019, 1:47 AM

@JKnott. Winblows & Linux.

Okay ... so Linux basically "bridges" eth0 with the wifi interface when connected via eth0 by default.

Will try. Thanks.

JKnott · Sep 19, 2019, 1:47 AM

@Peek said in pfsense DNS resolver not registering IPv6 addresses:

@JKnott. Winblows & Linux.

Okay ... so Linux basically "bridges" eth0 with the wifi interface when connected via eth0 by default.

Will try. Thanks.

No, it routes. Linux functions as a router, unless you disable it. I expect the same is true with the FreeBSD under pfSense and Macs. Also, when both interfaces are up, to the same network, it forwards the packets over the interface with the lowest metric. The metric is 100 for Ethernet and 600 for WiFi, so Ethernet gets used.

JKnott · Sep 19, 2019, 2:22 AM

@JKnott

Perhaps routing isn't the best term in this instance. Unlike Windows, Linux leaves both interfaces up, when Ethernet is connected. When an arp request comes in on the Ethernet port, for the WiFi address, Linux still responds, not caring which interface the address is assigned to and replies through the Ethernet port, based on it having the lower metric.

johnpoz · Sep 19, 2019, 2:46 AM

@JKnott said in pfsense DNS resolver not registering IPv6 addresses:

Linux functions as a router, unless you disable it.

Which linux distros are these, out of the box every single linux I have ever setup - unless its a specific "router" distro.
user@uc:~$ cat /proc/sys/net/ipv4/ip_forward
0

When you have 2 interfaces in the same network, yeah the OS should use the interface with the lowest metric to talk to that network.

JKnott · Sep 19, 2019, 2:52 AM

@johnpoz

Sorry, my mistake. I must have been thinking of something else. Regardless, with Linux both interfaces are up and either address can be used as I do frequently.

johnpoz · Sep 19, 2019, 2:55 AM

This is no different than windows.. I can fire up a wifi interface and use it, on the same network my wire is connected too.

JKnott · Sep 19, 2019, 2:56 AM

@johnpoz

On the same network? When I try that, I can't ping the WiFi interface, if Ethernet is connected. I haven't tried different networks. On my home network, I normally use WiFi for my notebook, but on occasion use Ethernet. Eitherway, I use the WiFi host name to connect to it.