Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How can I remove this IPv6 DNS entry? (post 2.8.0 upgrade)

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 4 Posters 696 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • hydnH
      hydn
      last edited by

      Please bear with me if this is a noob question, I'm learning pfSense and have only been using it for a couple of weeks.

      93c0c7dc-f745-4f3b-bbfa-97fbee897097-image.png

      I can't find where this was added. I had IPv6 disabled globally. How can I remove that entry? thanks.

      dennypageD 1 Reply Last reply Reply Quote 0
      • dennypageD
        dennypage @hydn
        last edited by

        @hydn That’s IPv6 localhost. It’s not accessible from outside the host.

        hydnH 1 Reply Last reply Reply Quote 0
        • hydnH
          hydn @dennypage
          last edited by hydn

          @dennypage Thanks. I know that. I Don't want to see that extra line in the dashboard. How can I remove it?
          (i have IPv6 disabled globally in pfSense)

          dennypageD GertjanG 2 Replies Last reply Reply Quote 0
          • dennypageD
            dennypage @hydn
            last edited by

            @hydn said in How can I remove this IPv6 DNS entry? (post 2.8.0 upgrade):

            @dennypage Thanks. I know that. I Don't want to see that extra line in the dashboard. How can I remove it?

            To my knowledge, you can’t. Just like you can’t remove 127.0.0.1.

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @hydn
              last edited by Gertjan

              @hydn said in How can I remove this IPv6 DNS entry? (post 2.8.0 upgrade):

              How can I remove it?

              You need two "/" and here is the info where to place them :

              Change

              		$dns_nameservers[] = $add_v6_brackets ? '[::1]' : '::1';
              

              for

              //		$dns_nameservers[] = $add_v6_brackets ? '[::1]' : '::1';
              

              Removing '::1' is bad because unbound 'needs' it - I guess. Have a look at the PHP script I've showed above, why it's included.
              Be ware : removing ::1 from /etc/resolv.conf, and thus stopping it from showing up in the GUI dashboard ... not sure if that's a good idea. Be ready to face issues.

              Another method, probably way better :
              Edit the dash board, the System Information widget script file, and remove the line that shows the '::' : just dn't show it anymore.
              After all, the kernel will still be IPv6 active, the firewall rules (not the GUI, I mean the real list of rules : see /tmp/rules.debug ) will still contain IPv6 rules, etc.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              hydnH 1 Reply Last reply Reply Quote 0
              • hydnH
                hydn @Gertjan
                last edited by

                @Gertjan thanks! Interesting.

                I tried to thumbs up but can’t. lol

                2.7.2 that didn’t show up. That version didn’t need it? Or just didn’t show it?

                I probably will edit the widget. Subtle changes like this bug me. It’s meaningless I’m sure but it was one of the few little changes I noticed post 2.8.0 upgrade.

                I’m in the process of removing pfBlockerNG because when you disabled DNSBL (using quad9 instead) the pfBlockerNG widget has no option to hide it 🫤 you can uncheck it in services widget but not from the pfBlockerNG widget.

                I asked here just to be sure I wasn’t missing a setting or something. Which is exceedingly likely for me. Ha

                GertjanG 1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by stephenw10

                  A (perhaps) cleaner way is to set the DNS behaviour to 'Use remote, ignore local'. Then add back 127.0.0.1 like:

                  Screenshot from 2025-06-09 14-43-22.png

                  But remember to remove localhost there if you ever change back because it will throw an error trying to add it twice.

                  Or just ignore it since it's not a problem. It's just v6 localhost, the same as v4 localhost isn't a problem.

                  hydnH 1 Reply Last reply Reply Quote 1
                  • GertjanG
                    Gertjan @hydn
                    last edited by

                    @hydn
                    Don't worry, I 👍 the stephenw10 for you ^^
                    Way cleaner and better indeed.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • hydnH
                      hydn @stephenw10
                      last edited by hydn

                      @stephenw10 ahh!! I see what you did there. Nice.

                      Will Unbound function the same by doing that? (Meaning local DNS first then out to Quad9 or whatever DNS servers I put in the rows/boxes below that 127.0.0.1?

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @hydn
                        last edited by

                        @hydn

                        You asked unbound to forward, right ?
                        If so, it will use the IPs it found in the /etc/resolv.conf file - these :
                        574e508b-2c14-4581-8969-90ae1c529dec-image.png

                        It won't forward to the listed 127.0.0.1 or ::1 as that would loop around indefinitely.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Hmm, good question. I believe it will use the servers in order they are set so as long as localhost is first that's what it should do.

                          But you could always just keep ::1 since it's meant to be there. 😉

                          hydnH 1 Reply Last reply Reply Quote 0
                          • hydnH
                            hydn @stephenw10
                            last edited by hydn

                            so the description here says:
                            1e70830d-b041-48b7-a4b4-273142678ae8-image.png
                            (still current setting, my wife is streaming on TV, and if the network goes down one more time I'm pretty sure she'd divorce me.)

                            I do have forwarding enabled:
                            c465b4ee-c7fa-4500-af3c-62a91b5821f3-image.png

                            EDIT:
                            Question: What do I lose by removing the local DNS and disabling unbound and pointing DNS to the remote DNS provider servers?

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              pfSense itself would just query the external server directly.

                              Clients behind pfSense would no longer have any DNS so you would need to pass the external servers to them directly via DHCP.

                              There would be no DoT. No caching. No filtering, if you're using that.

                              hydnH 1 Reply Last reply Reply Quote 0
                              • hydnH
                                hydn @stephenw10
                                last edited by

                                @stephenw10 said in How can I remove this IPv6 DNS entry? (post 2.8.0 upgrade):

                                so you would need to pass the external servers to them directly via DHCP.

                                The DNS entries I add in general settings are automatically populated in DHCP for each interface, is that not the case?

                                So if I remove unbound the DNS servers set here would not be used by the interfaces with DHCP?:
                                8f8b15e0-06c9-4bef-b311-93cb3198d8e1-image.png

                                My issue is that DoT isn't working locally via 127.0.0.1 only via the remove DNS.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  No. By default the DHCP server on each interface uses the interface IP as DNS to send to clients. That means using Unbound on pfSense. You can add servers manually to each DHCP instance if you need to.

                                  @hydn said in How can I remove this IPv6 DNS entry? (post 2.8.0 upgrade):

                                  My issue is that DoT isn't working locally via 127.0.0.1 only via the remove DNS.

                                  DoT only works where it's configured and that's between Unbound and Cloudflare. You can enable DoT on Unbound itself as a server and clients could then use it to Unbound if they are configured to do so. And clients could potentially use DoT to clouldflare directly if they are configured to do it.

                                  hydnH 1 Reply Last reply Reply Quote 0
                                  • hydnH
                                    hydn @stephenw10
                                    last edited by hydn

                                    @stephenw10 Ok I understand. I enabled it between local clients but I get a warning on my iPhone when connecting to the hotspot about privacy.
                                    8155f35f-6505-418f-90bb-3fcba55faffc-image.png

                                    I can connect to it, and it works but just warns about privacy.

                                    Edit:
                                    8b671a8c-ccd4-48d7-a680-8728408422be-image.png Edit: Also according to this it would mean DoT over 853 is indeed working?.

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Yes port 853 is DoT. You could also check the firewall states in Diag > States for that.

                                      The iphone is probably trying to connect to some remote servers dircetly. Are you blocking external DNS for clients?

                                      hydnH 1 Reply Last reply Reply Quote 0
                                      • hydnH
                                        hydn @stephenw10
                                        last edited by hydn

                                        @stephenw10 yes you are correct. It was to their own 853 servers (apple’s pricate browsing feature). I’m not sure exactly what I changed but the warning is gone now.

                                        1 Reply Last reply Reply Quote 1
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.