DHCPv6, SLAAC, and RDNSS no local domain hostnames in unbound on pfSense



  • Hi,

    I've set up pfSense 2.2.4 with an he.net tunnel and IPv6 on LAN as well. I'm using "Assisted" mode in router advertisements, and DHCPv6 server is running and assigning addresses to clients (though it seems most of my linux/freebsd based boxes don't run DHCPv6 clients by default). OS X Yosemite and my iDevices are pulling DHCPv6 addresses. I've entered the LAN IPv6 IP in the "Router Advertisements" DNS servers and I'm not sending DNS servers via DHCPv6.

    I've checked the "Enable registration of DHCP client names in DNS" on the DHCPv6 config page (which BTW, took me a day to find because it's hidden under the "Dynamic DNS" Advanced button; definitely recommend changing the UX on that)

    All working nicely except I'm not getting hostnames propagating to unbound, so I can't ping6 local hosts by hostname or enter the local hostname of a device into my browser and connect via IPv6.

    I don't need DHCPv6 if there's some mechanism for hostnames/IPv6 addresses to get into unbound using SLAAC or NDP or some other mechanism, but I haven't seen any indication of that functionality in my reading (still learning IPv6).

    Any clues?

    Thanks.


  • Banned

    Try with latest 2.2.5 snapshot before debugging anything else.



  • Running 2.2.5 now. No visible difference in the behavior.



  • I can confirm that for pfsense 2.2.4.



  • The problem is still available with the official 2.2.5 release.



  • From my experience, hosts don't send a hostname when they request an address via DHCPv6. They send their DUID and that's it. So there's no hostname to associate to the IP address being assigned. If anyone has seen something different, please enlighten us all. The only way I've gotten hostnames linked to IPv6 addresses is by a static DHCP entry. Feel free to verify this by looking at Status > DHCPv6 Leases. You'll see there are no hostnames there to register with DNS.

    SLAAC is completely client-side… the client receives the RA, then selects an address, verifies it's not already in use, then starts using it if all is ok. Since there's nothing sent to a server under SLAAC, there's no way that pfSense would know the hostname of a device using SLAAC.



  • @virgiliomi:

    From my experience, hosts don't send a hostname when they request an address via DHCPv6. They send their DUID and that's it. So there's no hostname to associate to the IP address being assigned.
    …..........

    there's nothing sent to a server under SLAAC, there's no way that pfSense would know the hostname of a device using SLAAC.

    Ah, thanks for pointing that out. I didn't realize host didn't include their hostname in their reply.

    Sooo, the next big question is what are best practices for network management in this scenario? I think we all need to be able to access hosts on the network right? preferably by name, which is why we have that cool service called DNS.

    How is it supposed to work with IPv6?

    Any ideas?

    Thanks.



  • @gnhb:

    Sooo, the next big question is what are best practices for network management in this scenario? I think we all need to be able to access hosts on the network right? preferably by name, which is why we have that cool service called DNS.

    How is it supposed to work with IPv6?

    Any ideas?

    Thanks.

    Uhm.. well.. If things are as they say with SLAAC, there is no real way to accomplish adding dynamic dhcp entries to dns. This tbh is in my oppinion kinda unreliable in ipv4 aswell when it comes to dynamic clients due to caching and/or lease time i guess.

    So.. What to do?

    Well.. most likely you dont really need dns name of your cellphone, or ipad or whatever things like that, so that leaves servers on your lan that could be useful to access via dns name (and not have to remember the ipv6 address). Then, you just set a static address on that device, and add a manual entry in pfsense to "DNS Resolver" with the manual set ipv6 address and name.

    Sorry, thats really my best advice atm (but i'm still learning stuff :P )

    C

    PS. Remember to leave space in your dhcpv6 scope for those manual addresses tho, just in case. I guess SLAAC should figure out what address is in use by itself, but in theory if your "server" is shutdown when a new SLAAC client enter the network you COULD get a conflict when the server comes back online?



  • @cybdex thanks for the reply mate.

    Fankly, I'm surprised there isn't an easy answer here. I do have a file server on my LAN, but I also have 3 raspberry Pi doing various multimedia stuff, a TV, a DVD player, a printer, 3 network cameras, etc, etc. All these things have web interfaces that sometimes I want to access. I can't imagine that IPv6 got downgraded when it comes to LAN management. Its a lot of work to add static IP addresses for everything you want to manage on a LAN, especially if you have a small or medium size company, or if you're adding new gadgets constantly, or you're a R&D or Dev team spinning up new VPS instances all the time.

    I'm guessing ipv6 dynamic DNS on my LAN is the way to go, but that means pfSense needs a dynamic DNS server in addition to all the possible dynamic client configs.

    Anyway, not much activity on this thread, so I'm just waiting for the solution. I've researched this heavily on google, read Cisco white papers, ipv6 rollout docs, etc, etc. Nothing found yet… maybe I'm searching for the wrong terms

    Onward and upward...  8)



  • Any advances in this scenario? Have you resolved this problem?. I'm facing this problem right now!



  • There's nothing to fix because with SLAAC the RA daemon doesn't register anything resembling a lease, it only advertises the router address and the available prefix. It doesn't even get notified when a client allocates an address. You could hack something on the clients that registers the acquired IPv6 address with the known host name to the resolver running on pfSense but that's primarily dependent on what you can do on the clients.



  • @kpa:

    There's nothing to fix because with SLAAC the RA daemon doesn't register anything resembling a lease, it only advertises the router address and the available prefix. It doesn't even get notified when a client allocates an address. You could hack something on the clients that registers the acquired IPv6 address with the known host name to the resolver running on pfSense but that's primarily dependent on what you can do on the clients.

    Ok, but how we are supposed to deal with this?. I mean, how can I access devices by their DNS names like if we were using DHCP on IPv4 ??



  • The first address you get from SLAAC is fixed by the MAC address (within the given /64 prefix, I will use 2001:db8:: below) and you can use that to make a static host override on the DNS resolver/forwarder. For example if the MAC address is "00-11-22-33-44-55" then the EUI-64 (the 64-bit host id) would be ::211:22FF:FE33:4455.

    http://silmor.de/ipaddrcalc.html#ip6

    With the EUI-64 known you can create the override as an AAAA record "myhost.mydomain.tld"  -> "2001:db8::211:22ff:fe33:4455".



  • @kpa:

    The first address you get from SLAAC is fixed by the MAC address (within the given /64 prefix, I will use 2001:db8:: below) and you can use that to make a static host override on the DNS resolver/forwarder. For example if the MAC address is "00-11-22-33-44-55" then the EUI-64 (the 64-bit host id) would be ::211:22FF:FE33:4455.

    http://silmor.de/ipaddrcalc.html#ip6

    With the EUI-64 known you can create the override as an AAAA record "myhost.mydomain.tld"  -> "2001:db8::211:22ff:fe33:4455".

    Thank you very much!!!, that was exactly what I needed. Now I have turned off DHCP6 and leave SLAAC for every client. I've created the overrides like you mention only for the ones I need to access.

    Thank you!


Log in to reply