Redirect all IPv6 DNS requests to localhost


  • In a best practices world, IPv4 gets redirected via Port Forward/NAT rule.

    Is there a rules-based method to redirect IPv6 DNS traffic to pfSense?

    I would appreciate some guidance.

  • LAYER 8 Global Moderator

    Not sure where you got that was best practice? Can you do it sure, but generally unless your wanting to filter dns there is little reason to redirect.

    Normally your clients should should use what you tell them to use. So if you hand them your pfsense IP as dns - that is what it should use. Redirection can keep say some device or software that insists on using something else like googledns to go through your dns (which you filter?)

    But sure you can redirect something to IPv6:53 the same way you would redirect IPv4:53 to localhost. Just use ipv6 in the rule vs IPv4. And then redirect it to ::1 which is loopback IPv6


  • @johnpoz, thanks for the quick response.

    I took my "best practices" cue from the DNS Guides found here:

    https://docs.netgate.com/pfsense/en/latest/services/dns/index.html and Redirecting Client DNS Requests.

    I've got a Lutron Pro Bridge, a Roku, Android phones and tablets that all want to talk to an external DNS server.

    Based what I've been reading, redirecting DNS requests to pfSense seems like a rational thing to do. However, Jim Pingle, in an IPv6 forum conversation, commented that NAT is a less than optimal way to handle things.

    Is there a "best practices" method?

    Thanks in advance for the guidance.

  • LAYER 8 Global Moderator

    Where on there does it say you should redirect?

    Again redirection is an option. To work around clients using a dns you don't want them to.. But anything that tricks something into thinking they are talking to something when they are really talking to something else. I don't see how that would be best practice ever..

    You sure wouldn't think it best practice if your ISP was doing that ;)

    If you don't want xyz to talk to google block it sure.. But redirecting it to let it think its talking to google when its really talking to something else would not be best practice in my opinion.

    I have a few devices that try and talk to google.. I just block them from doing that.. They either use my dns I hand them - or they don't get dns, its that simple ;) hehehe

    I have a lutron bridge as well - one sec.. your talking about this device right. Let me snap a pic

    This is bridge you have?
    bridge.jpg

    Model BDG-1, Caseta Wireless L-BDG2


  • @johnpoz, I really appreciate the input. You have clarified a number of things for me, and my pfSense config is much simpler as a result.

    My bridge looks identical to yours, with the model number being L-BDGPRO2.

    When I started experimenting with Lutron, I was using the model you have. I added a Hubitat Elevation to the mix ("one Ring to rule them all"); the Hubitat requires the PRO model for integration purposes.

  • LAYER 8 Global Moderator

    I do like the caseta switches. I have a couple of them.. It's nice to be able control the lights if no internet ;) And when I first put them in it was easier to replace the one switch then replace all the lights above my fireplace, etc.

    The original plan was to swap out all the switches in the house with the caseta stuff - and I may still replace a few more switches.

    But with the lights becoming cheaper and cheaper, I just swapped out a bunch of bulbs in other rooms.. I picked up 8 color changing bulbs a few weeks back for like 60$ - which would of be just 1 switch for caseta.. And so much easier to install ;)

    And even if loose internet the switch still works - you just have to toggle it once..

    I wish they would make a double switch, and would love if they would create a switch and fan module in one.. But with them being separate - would be a lot of work to put in 2 switches next to each other where there is currently a single switch, etc. So for now in the guest room and my office I just have bulbs in the ceiling fan.. Which I can control via alexa - but fan is just manual by pulling the chain.. Not ideal - but way easier and cheaper then reworking all the switches on the wall..

    But the vlan the hub is on and all the light bulbs, etc. all the iot stuff other than roku is on is blocked from talking to any dns other than pfsense or my pihole. And they have not had any issues.. I don't even see any hits on the block all other dns rule..

    I make is simple for IPv6 on that vlan - its not enabled ;) Don't have to worry about allowing or blocking any ipv6 specific for anything - if they don't have it ;)