On Comcast IPv6\. How is it "automagically" using PFsense router for V6 DNS?



  • I'm on Comcast for IPv6. My machines are using my router for IPv6 DNS even though Comcast controls that setting through IPv6 DHCP. Any idea how that is happening? Mind you, I WANTED to force local V6 DNS lookups, but somehow it is happening on its own.

    Any ideas?



  • My understanding is that pfsense sends a router advertisement (RA) to all local nodes which includes what DNS server(s) the clients can use. It just provides its own address for DNS. Thus, everything that uses the RAs get setup to use pfsense as the DNS.

    Edit: At least for "Track Interface" setups. I think there are other configurations that provide DNS via a different mechanism such as DHCPv6.



  • @darkcrucible:

    Edit: At least for "Track Interface" setups. I think there are other configurations that provide DNS via a different mechanism such as DHCPv6.

    Yep… at least until someone finally takes the work someone did and brings in the pull request for feature 3029, which would make DHCPv6/RA settings available for interfaces using Track Interface.



  • Hey All,

    I think my question is more or less related to the original question posed here…

    I'm trying to force my pfSense router and all clients using it to use OpenDNS servers for DNS rather than the Comcast DNS servers as I'd been using up until now.

    These are my current DNS settings:

    Previously, I had my DNS servers listed as:

    127.0.0.1
    75.75.75.75
    75.75.76.76

    And I had the Allow DNS server list to be overridden by DHCP/PPP on WAN setting enabled but the Do not use the DNS Forwarder as a DNS server for the firewall setting disabled.

    After following the following two guides, my firewall rules are setup as such:

    1. https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
    2. https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

    Unfortunately, when I test my DNS settings on the OpenDNS website (https://store.opendns.com/setup/), it says I'm not using OpenDNS yet.

    When I followed the instructions on this website (http://www.cyberciti.biz/faq/how-to-find-out-dns-for-router/) to find out what DNS server my computer was using by running the nslookup command, it returns the host name of my pfSense router and my IPv6 LAN address as the address associated with it. The ipconfig /all command shows my IPv6 and IPv4 LAN addresses for DNS Servers.

    I'm running pfSense 2.2.3-RELEASE.

    Is there something I'm doing wrong, or do I maybe just need to reboot my router for the changes to take effect? I can't reboot right now due to certain circumstances, but that was my next plan of action assuming I'm doing everything right.


  • Banned

    1/ The first screenshot are settings for the firewall itself. Not for clients.
    2/ "Allow DNS server list to be overridden by DHCP/PPP on WAN" is something you absolutely do NOT want.
    3/ The guides won't work for IPv6 as is. Definitely not the NAT part.



  • @doktornotor:

    1/ The first screenshot are settings for the firewall itself. Not for clients.
    2/ "Allow DNS server list to be overridden by DHCP/PPP on WAN" is something you absolutely do NOT want.
    3/ The guides won't work for IPv6 as is. Definitely not the NAT part.

    1. I understand this is the firewall/router DNS settings, but I'm trying to force everyone connected to this router to use these settings (hence the blocking & redirecting DNS guides I followed next).
    2. Right, I'll leave that off permanently from now on.
    3. I figured this was the case since the NAT-auto generated firewall rule only applies to IPv4 in the Proto section. There's no way to forward IPv6 addresses yet, are there?


  • Banned

    @MarkVLK:

    1. I understand this is the firewall/router DNS settings, but I'm trying to force everyone connected to this router to use these settings (hence the blocking & redirecting DNS guides I followed next).

    So configure this explicitly in DHCP/RADVD.

    @MarkVLK:

    3. I figured this was the case since the NAT-auto generated firewall rule only applies to IPv4 in the Proto section. There's no way to forward IPv6 addresses yet, are there?

    Correct, there's no NAT with IPv6; you should block DNS over IPv6 except for the whitelisted DNS servers.



  • @doktornotor:

    @MarkVLK:

    1. I understand this is the firewall/router DNS settings, but I'm trying to force everyone connected to this router to use these settings (hence the blocking & redirecting DNS guides I followed next).

    So configure this explicitly in DHCP/RADVD.

    I'm not really a networking expert, not sure what RADVD is to be honest. I don't know what changes I'd need to make with my DHCP server or how that's relevant, I already know that my firewall rules apply to everyone connected to my firewall/router because I've tried accessing IPs listed in my block aliases and the requests are indeed rejected.

    @doktornotor:

    @MarkVLK:

    3. I figured this was the case since the NAT-auto generated firewall rule only applies to IPv4 in the Proto section. There's no way to forward IPv6 addresses yet, are there?

    Correct, there's no NAT with IPv6; you should block DNS over IPv6 except for the whitelisted DNS servers.

    Doesn't my 3rd from last firewall rule do this already?
    IPv4+6 TCP/UDP * * * 53 (DNS) * none Block DNS to everything else
    (Note the IPv4 + 6)



  • pfSense is a Blocking FW by default. So you explictly Allow what you want…
    (Unless you block something Top-Of-The-List on beforehand for a broad allowance later in the list)

    Your DNS server listens on "This Firewall".

    [Services: DHCPv6 server] is kind of self-explanatory for RAdvd.

    add:
    What pfSense version are you on. ?
    The combi TCP/UDP must be separated for IPv4 and IPv6, split-up that is.



  • @hda:

    pfSense is a Blocking FW by default. So you explictly Allow what you want…
    (Unless you block something Top-Of-The-List on beforehand for a broad allowance later in the list)

    Your DNS server listens on "This Firewall".

    [Services: DHCPv6 server] is kind of self-explanatory for RAdvd.

    When I go to Services > DHCPv6 server it just has a blank page with this message:

    "The DHCPv6 Server can only be enabled on interfaces configured with a static IPv6 address. This system has none."

    When I go to Interfaces > LAN my configuration is like this:

    This was the default configuration. Should I change IPv6 Configuration Type to Static IPv6? I'm not sure what the ramifications of this would be, so I'm a bit uneasy about making that change.

    @hda:

    add:
    What pfSense version are you on. ?
    The combi TCP/UDP must be separated for IPv4 and IPv6, split-up that is.

    I'm on pfSense 2.2.3-RELEASE.


  • Banned

    But we are talking about RADVD (Router Advertisement). Please, spend some time exploring the GUI. Really. And configure things explicitly, instead of relying on some black magic going on behind the scenes.



  • @doktornotor:

    But we are talking about RADVD (Router Advertisement). Please, spend some time exploring the GUI. Really. And configure things explicitly, instead of relying on some black magic going on behind the scenes.

    DHCPv6 and RADVD settings - which both reside under the DHCPv6 Server service - cannot be adjusted when you use DHCPv6 on your WAN and track interface on your LAN, which is required with Comcast.

    So how are you supposed to change DHCPv6 and RADVD settings in pfSense when your LAN is using Track Interface and pfSense won't let you access those settings?


  • Banned

    Are you still actually having some real problem with DNS? If you are talking about Windows then setting DNS servers with radvd won't have any effect there anyway since MS does not implement this.



  • @doktornotor:

    Are you still actually having some real problem with DNS? If you are talking about Windows then setting DNS servers with radvd won't have any effect there anyway since MS does not implement this.

    All I'm trying to do is set my pfSense router/firewall to use OpenDNS servers instead of Comcast or any other DNS servers. As far as I can tell, this is being done, yet the OpenDNS test page (https://www.opendns.com/welcome/) still says I'm not using their DNS servers and their test phishing page (http://www.internetbadguys.com/) isn't blocked.

    What's more infuriating is that for about an hour the OpenDNS test phishing page WAS blocked, yet I didn't change any settings on my pfSense box. And now the test phishing page is NOT blocked, and I still haven't changed the settings. Since then, all I've been doing is checking or un-checking the Do not use the DNS Forwarder as a DNS server for the firewall option in System > General Setup. I'm a bit confused as to what this option will do as the docs relating to it seem to be outdated (https://doc.pfsense.org/index.php/General_Setup). They mention to check this option if the DNS Forwarder is disabled (which mine is), yet in the General Setup it says "By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on Localhost, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers."

    If my pfSense box is setup to use only the OpenDNS servers, then if I left this box unchecked so that it uses localhost to do DNS lookups, doesn't this just mean that all DHCP clients on the network would send their DNS requests to localhost (my pfSense box) first which would then use the OpenDNS servers to do the DNS lookups and return the result to the DHCP clients? If I check this box, I assume that just means that all DHCP clients on the network will only have the OpenDNS servers listed as their DNS servers rather than have the LAN address of my pfSense box also in their list of DNS servers, but either way all the DNS lookups should be going to the OpenDNS servers whether they're coming directly from the DHCP clients or the pfSense box itself.

    Please let me know if my understanding is incorrect. I'm beginning to think that the OpenDNS test page is just messed up. I double checked to see if maybe the page was just being cached in my pfSense box's squid proxy, but I checked the headers of requests made to the page and they said cache miss and the proxy reports also showed 0% hit rate to the test phishing page URL. I just checked the OpenDNS dashboard for my free account and I see a bunch of requests were indeed made over the last 24 hours so obviously some requests are being made to their servers.


  • Banned

    Block DNS over IPv6. Follow the wiki for the rest. End of story. Not going to explain for the zillionth time that System - General is NOT for clients.