SLAAC and AD DNS Servers
-
In pfSense 2.3 is it possible to have it hand out my AD DNS servers via IPv6 while keeping SLAAC addressing and using Track Interface?
Hope this question makes sense, thank you.
-
Windows doesn't use RDNSS, so you could add your AD DNS servers to the RA, but you'll still need to have DHCPv6 going for your Windows clients to pick up IPv6 DNS servers… unless you just want them to use IPv4 addresses for DNS.
But yes, under DHCPv6 Server & RA > Router Advertisements tab, you can specify whatever DNS server(s) you want. If nothing is specified, whatever is configured for pfSense, or pfSense itself (if using DNS Resolver/Forwarder) will be sent instead.
-
Not the answer I wanted but thank you.
-
I should point out that you can use DHCPv6 to ONLY hand out additional information (like DNS servers and search suffix) but NOT hand out IPv6 addresses… - So you can keep your SLAAC IP addressing
Possibly you didn't realise that
-
Toady please share the settings required to do this. I've tried a bunch but I either have a SLAAC assigned IP and no DNS or DNS and DHCPv6 assigned IP. I'm thinking I've missed the setting combination.
From my reading I thought something like that should be possible just haven't been able to figure out the proper setup.
Thank you,
-
I've tried this as well, and even with the "Stateless DHCPv6" option (which should use stateless addressing and DHCPv6 for additional info, from what I understand), a couple of my devices still end up with DHCPv6 leases. Please share! :)
-
In my setup I am using RA from PFSense and internal DHCPv6 - but I see no reason for this not to work in PFSense.
I'll do a little playing with PFSense and then share up what I find. -
Well that was simple…
Setup your DHCPv6 server with your DNS Servers, Domain Name, Search Domain detail etc etc etc;
Sadly the GUI doesn't allow you to skip the DHCP range, but what you can do is use your subnet address for both the start and end range addresses (2001:470:****:: in my case) so you have a range with NO available IP addresses in it.Make sure that RA is set to "Assisted" mode (this means SLAAC + DHCPv6 for "Additional" information, like DNS etc).
Hey presto, SLAAC addressing with DHCP provisioned DNS etc.
Let us know how you get on...
As a side note, if you DO add a DHCP range, your clients will get SLAAC + DHCPv6 assigned IP address, the client SHOULD use the SLAAC temp address in preference to any other address anyway.
-
I tried setting up with a zero length range and the machines didn't get the dns server from dhcpv6. If I entered a range (eg: :: to :ffff:ffff:ffff:ffff) they get the dns record but also get the second address assigned via dhcpv6. It has me wondering if the zero range is causing pfSense to not hand out any information (due to no addresses available in the range) or if the zero range is causing Windows (testing using Server 2012 R2) to not get the information?
-
With the zero length range in place, does ifconfig /all show your IPv6 DNS server listed?
Windows clients do register the reverse DNS for IP addresses assigned by DHCPv6 - but do not seem to register SLAAC IPv6 address in DNS - so maybe this is the issue you are having.
What I do here, is use DHCPv6 (on a dual stacked FreeBSD box, also running bind and DHCPv4 too) to hand out a small range of IPv6 address; what I find is this;
Windows clients will ONLY register their DNS details with DHCPv6 assigned addresses.
Linux and Apple OSX clients DO NOT register their DNS information.
No amount of tuning on the DHCPv6 server will cause the DHCPv6 server to forcibly register the IPv6 addresses it hands out.DHCPv4 - just works.
DHCPv6 is quite a different beast, since its designed to work WITH RA among other things. -
With the zero length range no they do not get the IPv6 DNS server listed. As soon as I give it a range then they get both a SLAAC and DHCPv6 address as well as the expected DNS server.
In my live environment all my machines with SLAAC addresses (only running SLAAC in live right now) have registered their IPv6 addresses with the DNS servers (which are presently being accessed via IPv4). It's not registeration of the IPv6 address that I'm worried about, I'm just trying to get my DNS servers referenced via IPv6 too (mostly to try and increase my knowledge of IPv6).
-
Looking back over my setup, I have the DNS server defined on the RA config also - maybe that is where mine is coming from.
-
Well that is strange. I've tried everything I can think of and the DNS server doesn't get assigned until I give a range greater than 0. When the range is greater than 0 it gets the dns server perfectly fine and ends up with two ipv6 addresses (one slaac and one dhcpv6). Not the end of the world as I've got one or two of them to go around in my /64 :)
The on interesting thing is that they are both listed as Preferred. I would think that only one of the IPv6 addresses should be preferred.
Thank you,
-
@Com:
When the range is greater than 0 it gets the dns server perfectly fine and ends up with two ipv6 addresses (one slaac and one dhcpv6). Not the end of the world as I've got one or two of them to go around in my /64 :)
Yup, you probably have enough…. ;D
I ended up with a similar setup, then after using it for a while I realized that it's got potential to be good from two perspectives. For hosts that pull traffic (like browsers) it would be nice to randomize the outgoing IP frequently so that it's harder for anyone watching traffic to build a profile of your habits around a single IPv6 address.
On the other hand, if you have lots of devices, you absolutely want to be able to use Dynamic DNS to build a list of hosts and their IPv6 addresses so you can access them by name for various purposes.
-
@Com:
Well that is strange. I've tried everything I can think of and the DNS server doesn't get assigned until I give a range greater than 0. When the range is greater than 0 it gets the dns server perfectly fine and ends up with two ipv6 addresses (one slaac and one dhcpv6). Not the end of the world as I've got one or two of them to go around in my /64 :)
The on interesting thing is that they are both listed as Preferred. I would think that only one of the IPv6 addresses should be preferred.
Thank you,
I blame Microsoft, Windows clients (I don't often use mine) don't collect the DNS servers from the RA packets.
So in the windows world if you want to provide DNS over IPv6 then DHCP is for you, the other suggestion I have is to set option 7 to 255 on the DHCPv6 server to make the client prefer to use its SLAAC address rather than the DHCPv6 assignment.
