Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense and DNS over IPv6

    Scheduled Pinned Locked Moved IPv6
    7 Posts 2 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ruthenium
      last edited by

      I have setup pfSense with IPv6 prefix delegation (Comcast) and it works perfectly. I also have a .com domain, which I use inside and outside of the local network. Public DNS provider supports dynamic updates, so some devices on my internal network get public DNS names with IPv6 addresses. Internal DNS server (Bind running on pfSense) provides IPv4 addresses for the same devices on the LAN.

      The question is how to deal properly with DNS over IPv6. If I use provider’s (Google, OpenDNS, etc) servers in DHCPv6 settings, then I will be relying on DDNS updates for the internal hosts in question. I do not particularly like this idea.

      Especially bad this configuration is for hosts, which do not have records in public DNS, only local IPv4 A-records. Mac OS X Sierra is now IPv6-first OS. Sierra issues all DNS queries over IPv6. Thus when accessing a host on the local network which does not have a record in public DNS, Sierra tries only IPv6 and returns “host not found” instead of coming back with IPv4 address on the local subnet.

      A better way would be to push pfSense IPv6 address as an address of a DNS server to the hosts on the local network. In this case all works smoothly and as expected. The issue is what IP address to give? The IPv6 address of the pfSense box is dynamic as Comcast can change the delegated prefix from time to time.

      Has anyone worked out already how to push dynamic IPv6 address of the pfSense box  to the local network over DHCP? Or maybe there is a better solution?

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        Normally, your prefix should not change.  The computers also have a MAC address based address that does not change.  Just configure the DNS server to point to the MAC based addresses.  You do not need a dynamic DNS then.  Do not use the random number based "privacy" addresses.  I use a DNS from Google and it works fine.  Also, it makes no difference whether DNS is accessed via IPv4 or IPv6, the same info is returned.  IPv6 preferred is standard with most (all?) operating systems as that's what the world is moving to.  You can configure pfSense to provide DNS, using either the Resolver or Forwarder and point your local clients to it.  Unless I've missed something, pfSense should be doing that as part of the default config.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • R
          ruthenium
          last edited by

          Thank you for response, JKnott. I am afraid I was not clear in the description of the problem I am trying to solve. As you say, it is easy and straightforward to configure pfSense to hand out IPv6 addresses allowing the clients to correctly work with IPv6. This is not the issue at hand.

          I am using pfSense to provide DNS on the local network (using Bind package), so that they have a regular .com name, like any host on the internet. Of course they are not addressable over IPv4 from outside with this name because they are behind NAT, but some of them are over IPv6. I do not want pfSense to be a public DNS server, so I rely on third-praty DDNS to handle the public part. Only internal DNS is handled by pfSense. Unfortunately I cannot go IPv6-all-the-way approach and use public DNS server to handle the naming since not all devices perfectly support IPv6 yet.

          Normally your prefix should change.

          Unfortunately Comcast does change the prefix once in a while, I have noticed that when I reboot the cable modem.

          The computers also have a MAC address based address that does not change.

          I guess you mean the stateless auto configured IPv6 address. Apparently it is not so with Sierra. It does generate two stateless addresses, “privacy” and normal and none of them is based on MAC address and changes with every restart. pfSense behaves better and does generate MAC-based stateless IPv6, but Bind does not work with it and using stateless IPv6 as a DNS server address does really sound wrong.

          Also, it makes no difference whether DNS is accessed via IPv4 or IPv6, the same info is returned.

          That’s what I want to achieve with 2 different DNS servers for LAN and WAN. Big organization in such situations use split-brain DNS and make their DNS servers available to the public. I do not want to expose my pfSense box in that way. Instead I want pfSense to be DNS server only on LAN and return regular IPv4 addresses no matter if DNS request has been initiated over IPv4 or IPv6. For that I need to give the clients on the local network IPv6 address of the pfSense box, not external DNS server like Google or OpenDNS.

          I understand that this is one of these questions which touch upon too many components: DNS, DHCP,  IPv6 and pfSense packages (Bind). Maybe it belongs to a different forum section, I wonder which? :)

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            Unfortunately Comcast does change the prefix once in a while, I have noticed that when I reboot the cable modem.

            Perhaps you should call support about that.  pfSense should be providing a DUID, which Comcast is supposed to use to ensure you get the same prefix.

            Big organization in such situations use split-brain DNS and make their DNS servers available to the public. I do not want to expose my pfSense box in that way. Instead I want pfSense to be DNS server only on LAN and return regular IPv4 addresses no matter if DNS request has been initiated over IPv4 or IPv6. For that I need to give the clients on the local network IPv6 address of the pfSense box, not external DNS server like Google or OpenDNS.

            I do the same.  I have the local IPv4 addresses provided by pfSense.  Some, which are also reachable from outside, such as IMAPS, the local DNS provides the actual local address, but the outside DNS provides my single public IPv4 address.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • R
              ruthenium
              last edited by

              Perhaps you should call support about that.  pfSense should be providing a DUID, which Comcast is supposed to use to ensure you get the same prefix.

              Thanks! It is good to know what is a normal behavior. I will talk to Comcast about that.

              I do the same.

              Ha, so you basically have the configuration I am trying to setup working for you, great! So what IPv6 DNS server are you pushing to the clients on your LAN? Stateless IPv6 address of you pfSense box?

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott
                last edited by

                I'm using the pfSense resolver and a DNS server provided by Google (Enom) for the external server.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • R
                  ruthenium
                  last edited by

                  Thank you, you are probably right. I am overcomplicating things and the configuration I want can be done just using resolver, without involving Bind. I have reconfigured my pfSense box to use the resolver and I see that it is pushing the IPv6 address of the box to the client machines with DHCP, exactly what I was trying to do with Bind. I think I'll stick with this configuration for now.

                  Thanks again for your help, JKnott!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.