PfSense and DNS over IPv6



  • I have setup pfSense with IPv6 prefix delegation (Comcast) and it works perfectly. I also have a .com domain, which I use inside and outside of the local network. Public DNS provider supports dynamic updates, so some devices on my internal network get public DNS names with IPv6 addresses. Internal DNS server (Bind running on pfSense) provides IPv4 addresses for the same devices on the LAN.

    The question is how to deal properly with DNS over IPv6. If I use provider’s (Google, OpenDNS, etc) servers in DHCPv6 settings, then I will be relying on DDNS updates for the internal hosts in question. I do not particularly like this idea.

    Especially bad this configuration is for hosts, which do not have records in public DNS, only local IPv4 A-records. Mac OS X Sierra is now IPv6-first OS. Sierra issues all DNS queries over IPv6. Thus when accessing a host on the local network which does not have a record in public DNS, Sierra tries only IPv6 and returns “host not found” instead of coming back with IPv4 address on the local subnet.

    A better way would be to push pfSense IPv6 address as an address of a DNS server to the hosts on the local network. In this case all works smoothly and as expected. The issue is what IP address to give? The IPv6 address of the pfSense box is dynamic as Comcast can change the delegated prefix from time to time.

    Has anyone worked out already how to push dynamic IPv6 address of the pfSense box  to the local network over DHCP? Or maybe there is a better solution?



  • Normally, your prefix should not change.  The computers also have a MAC address based address that does not change.  Just configure the DNS server to point to the MAC based addresses.  You do not need a dynamic DNS then.  Do not use the random number based "privacy" addresses.  I use a DNS from Google and it works fine.  Also, it makes no difference whether DNS is accessed via IPv4 or IPv6, the same info is returned.  IPv6 preferred is standard with most (all?) operating systems as that's what the world is moving to.  You can configure pfSense to provide DNS, using either the Resolver or Forwarder and point your local clients to it.  Unless I've missed something, pfSense should be doing that as part of the default config.



  • Thank you for response, JKnott. I am afraid I was not clear in the description of the problem I am trying to solve. As you say, it is easy and straightforward to configure pfSense to hand out IPv6 addresses allowing the clients to correctly work with IPv6. This is not the issue at hand.

    I am using pfSense to provide DNS on the local network (using Bind package), so that they have a regular .com name, like any host on the internet. Of course they are not addressable over IPv4 from outside with this name because they are behind NAT, but some of them are over IPv6. I do not want pfSense to be a public DNS server, so I rely on third-praty DDNS to handle the public part. Only internal DNS is handled by pfSense. Unfortunately I cannot go IPv6-all-the-way approach and use public DNS server to handle the naming since not all devices perfectly support IPv6 yet.

    Normally your prefix should change.

    Unfortunately Comcast does change the prefix once in a while, I have noticed that when I reboot the cable modem.

    The computers also have a MAC address based address that does not change.

    I guess you mean the stateless auto configured IPv6 address. Apparently it is not so with Sierra. It does generate two stateless addresses, “privacy” and normal and none of them is based on MAC address and changes with every restart. pfSense behaves better and does generate MAC-based stateless IPv6, but Bind does not work with it and using stateless IPv6 as a DNS server address does really sound wrong.

    Also, it makes no difference whether DNS is accessed via IPv4 or IPv6, the same info is returned.

    That’s what I want to achieve with 2 different DNS servers for LAN and WAN. Big organization in such situations use split-brain DNS and make their DNS servers available to the public. I do not want to expose my pfSense box in that way. Instead I want pfSense to be DNS server only on LAN and return regular IPv4 addresses no matter if DNS request has been initiated over IPv4 or IPv6. For that I need to give the clients on the local network IPv6 address of the pfSense box, not external DNS server like Google or OpenDNS.

    I understand that this is one of these questions which touch upon too many components: DNS, DHCP,  IPv6 and pfSense packages (Bind). Maybe it belongs to a different forum section, I wonder which? :)



  • Unfortunately Comcast does change the prefix once in a while, I have noticed that when I reboot the cable modem.

    Perhaps you should call support about that.  pfSense should be providing a DUID, which Comcast is supposed to use to ensure you get the same prefix.

    Big organization in such situations use split-brain DNS and make their DNS servers available to the public. I do not want to expose my pfSense box in that way. Instead I want pfSense to be DNS server only on LAN and return regular IPv4 addresses no matter if DNS request has been initiated over IPv4 or IPv6. For that I need to give the clients on the local network IPv6 address of the pfSense box, not external DNS server like Google or OpenDNS.

    I do the same.  I have the local IPv4 addresses provided by pfSense.  Some, which are also reachable from outside, such as IMAPS, the local DNS provides the actual local address, but the outside DNS provides my single public IPv4 address.



  • Perhaps you should call support about that.  pfSense should be providing a DUID, which Comcast is supposed to use to ensure you get the same prefix.

    Thanks! It is good to know what is a normal behavior. I will talk to Comcast about that.

    I do the same.

    Ha, so you basically have the configuration I am trying to setup working for you, great! So what IPv6 DNS server are you pushing to the clients on your LAN? Stateless IPv6 address of you pfSense box?



  • I'm using the pfSense resolver and a DNS server provided by Google (Enom) for the external server.



  • Thank you, you are probably right. I am overcomplicating things and the configuration I want can be done just using resolver, without involving Bind. I have reconfigured my pfSense box to use the resolver and I see that it is pushing the IPv6 address of the box to the client machines with DHCP, exactly what I was trying to do with Bind. I think I'll stick with this configuration for now.

    Thanks again for your help, JKnott!