Prevent pfsense advertising itself as IPv6 nameserver
-
Hello all -
I have a set of clients on my network that I want DNS to ultimately resolve through OpenDNS. Configuring a separate DHCP pool with these IPv4 addresses completes this for IPv4, however, devices which default to IPv6 are seeing pfsense advertise itself as an IPv6 capable name server (even though only LAN -not IPv6 - is selected in the DNS Forwarder configuration) which results in a situation where the OpenDNS servers are bypassed.
Note - because I only want certain clients to resolve through OpenDNS, configuring OpenDNS as the primary forwarders for the entire box (and network) is not an option for me.
How can I configure pfsense not to advertise itself as an IPv6 name server?
Thank you.
-
WTF? No, you cannot have separate DNS servers for IPv4 and IPv6 DNS records. Absurd idea.
-
"devices which default to IPv6"
So you mean like everything… Pretty much every OS I know if valid ipv6 will prefer that over ipv4, even sometimes when its not so valid.
Sounds like to me you don't have an actual deployed ipv6 network, and ipv6 is just kind of wild in your network. If it was me I would disable it until such time as you can properly set it up.
Where did you get the idea you could have the forwarder or resolver just listen on ipv4?
Interface IPs used by the DNS Forwarder for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.
Interface IPs used by the DNS Resolver for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.
You could turn off RA, you could setup RA in the gui to hand out specific dns for those clients that can get it from there. This is all related to having an actual setup ipv6 network and not something that is just on.. You could also just block IPv6 to dns at firewall of pfsense if you don't want ipv6 clients using dns - but not sure how they would have valid ipv6 use then.. So you might as well just disable it across the board.
-
"devices which default to IPv6"
So you mean like everything… Pretty much every OS I know if valid ipv6 will prefer that over ipv4, even sometimes when its not so valid.
Sounds like to me you don't have an actual deployed ipv6 network, and ipv6 is just kind of wild in your network. If it was me I would disable it until such time as you can properly set it up.
Where did you get the idea you could have the forwarder or resolver just listen on ipv4?
Since I'm on Comcast it's tracking the outside interface. And yes, everything likes IPv6 now - I've been IPv6 at home for more than two years now and it works quite well on Comcast's network in my experience.
I must have misread the options in the DNS Forwarder section where it is possible to select what interfaces it listens on. Further down in that page, however, under Strict Interface Binding there is a note that selecting said option causes dnsmasq not to bind to ipv6.
(content deleted)
You could turn off RA, you could setup RA in the gui to hand out specific dns for those clients that can get it from there. This is all related to having an actual setup ipv6 network and not something that is just on.. You could also just block IPv6 to dns at firewall of pfsense if you don't want ipv6 clients using dns - but not sure how they would have valid ipv6 use then.. So you might as well just disable it across the board.
For me it is unexpected behavior - that I can't control what nameservers are being used by the clients even if they are configuring from the RA. In an effort to consolidate devices at home I recently set up pfsense in a VM on my media server, replacing a Linksys running Tomato where the ability to control nameservers for both ipv4 and ipv6 worked for me. For my purposes, simply disabling advertisement of the ipv6 address would solve the problem I have.
From reading here it seems like for ipv6 to work with Comcast I have to let it track the outside interface - certainly I can't configure a static ipv6 network with Comcast residential. :)
So the way I've solved it for now is just to turn off the forwarder and resolver in pfsense and configure split views on my internal bind server. Excessively complex for a home setup but accomplishes my goals for now until I find something more elegant with pfsense.
Thanks for your ideas and patience as I am a new pfsense user. (And thanks for not threadcrapping like the other poster seems to be adept at)
-
I am on comcast as well.. There ipv6 is broken at many levels to be honest.. I just use HE tunnel, get a /48 from them and have multiple ipv6 /64 segments.
You can control what dns you use via RA.. who said you couldn't??
If you want better control over what your ipv6 clients get for info you should prob run dhcpv6 for them and hand out your dns.
-
You can control what dns you use via RA.. who said you couldn't??
If you want better control over what your ipv6 clients get for info you should prob run dhcpv6 for them and hand out your dns.
…which you can't do when you "Track Interface" for IPv6 on your LAN... at least not yet (it's been said that it should be part of 2.3). Right now, in order to be able to access the DHCPv6/RA settings for your LAN, you need a static IPv6 address on your LAN (which of course you get when you use a HE tunnel).
-
There you go - yet another reason to use HE vs comcast native nonsense.. ;)
-
There you go - yet another reason to use HE vs comcast native nonsense.. ;)
At home, Comcast's ipv6 works just fine for me, I can get 135 Mbps/15 Mbps with it, and other than my somewhat unorthodox DNS requirements (which pfsense doesn't support yet) I'm happy. I suspect I would see higher numbers if I had an 8-channel modem.
At my office, I do use an HE tunnel because Comcast business ipv6 is a hot mess. I've been in the ipv6 trial now for well over a year and I've never been able to use it in production - I don't know how they expect to deploy it as is and have customers be pleased. My only complaint with HE is that it is not nearly as fast as native - that is to say my office HE tunnel frequently fails to get more than 35 Mbps whilst the connection tests at 85 Mbps on ipv4.
As mentioned, I've got a work-around in place and will wait patiently to see if 2.3 will introduce the needed functionality.
Thanks!
-
Currently if track interface is enabled, and the DNS Resolver/Forwarder is enabled, RDNSS is set. That's not configurable at this time. You can edit the code that generates radvd.conf in /etc/inc/services.inc to omit that.
-
Well it is a tunnel so yeah going to be a hit to perfomance compared to no tunnel but i think the small hit is well worth the current advantages to is with most isp a mess the feature i would love to see isp do is assigned /48 or /56 or even a 60 with control of the ptr if u request
