Local DNS servers overridden by prefix delegation on WAN
-
This morning I discovered that my ISP was finally supporting IPv6 prefix delegation in my area. I got a /56 from them on the WAN and then set the LAN interface to track the WAN interface and everything worked fine, until I tried to resolve local DNS names.
I run my own DNS server as part of my active directory setup and normally all of the hosts on the network query my DNS server for all DNS name resolution. My DNS server in turn uses OpenDNS to resolve queries for everything outside of my AD domain.
My pfSence box has the v4 and v6 addresses of my DNS server set as the DNS servers under System: General Setup and the "Allow DNS server list to be overridden by DHCP/PPP on WAN" box is not checked. However when pfSense hands out IPv6 addresses to hosts on the network via DHCPv6 it is giving them its own v6 address as a DNS server and in turn using the IPv6 address of the DNS server provided by my ISP in the prefix delegation process to resolve all names that don't exist it it's DHCPv6 lease table. Totally ignoring the DNS servers configured in System: General Setup.
So hosts that are dual stacked can be resolved fine, but only as their IPv6 addresses, but older devices, like printers, that don't support IPv6 cannot be resolved because pfSense isn't telling hosts to use my internal DNS server and isn't using it itself.
I was able to get around this by switching pfSense from DNS resolver to DNS forwarder and manually editing pfSense's resolv.conf file to remove the IPv6 address of my ISP's DNS server and adding the IPv6 address of my own DNS server instead. This doesn't seem to be the ideal solution as I imagine that resolv.conf will get overwritten if my ISP ever pushes a new prefix down to pfSense.
Oddly enough, the IPv4 address of my DNS server was already listed in resolv.conf but it looks like pfSense wasn't using it because there was an IPv6 address present on the next line.