If you configure slaac unmanaged how does the search list option work exactly?
For example if you set in the field the domain to be "workgroup.internal" and a slaac client has a hostname "client1" how does name resolution work/supposed to work?
If I ping -6 "client1.workgroup.internal" it does not work. Is there a missing piece here, do I need to configure something on unbound? How would a slaac client register its hostname?
It doesn't. The search domain defines what the client appends when requesting a domain name from the name server. Registration of names is not something SLAAC covers.
Right. SLAAC is meant to give IP adressed to clients. They can even take up random IPs (e.g. with privacy extensions). Those are for outbound access, mostly.
If you want to make your clients addressable by name, you can use these mechanisms:
1. IPv4 only (this is the simplest and my recommendation): Do not bother to make your clients addressable by IPv6 at all.
2. Via DHCPv6. While this works, the DNS entries hold as long as your DHCP lease time and thus, may be wrong with dynamic prefixes.
3. With static prefixes: Use SLAAC and hope that the client uses EUI-64 (potentially among others). Then you can statically namen your clients via PREFIX:EUI-64. In this case, you can also use DHCPv6.
4. With dynamic prefixes: ULAs may be your friend, but note that they are prioritized LOWER than even IPv4 - contrary to popular belief).
Because most people have dynamic prefixes, I prefer to use 1., but with SLAAC for outbound access only. This is all covered here: https://forum.opnsense.org/index.php?topic=45822.0
I am using dnsmasq with SLAAC and RA-NAMES. This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address. I find this to be very convenient. It doesn't help with privacy addresses, but I generally don't need to reference those clients by name anyway.
I have high hopes for the new hostwatch db/service to help with this, even if some non-standards based solution is needed in OPNsense.
The problem with 1. above is that the client's SLAAC GUA is the one that shows in logs (e.g. Unbound & F/W live view), and this might even be a temporary address from privacy extensions. It's not resolvable to a hostname so tracking clients is more work. I usually have to work backwards from NDP to find the MAC and then cross-reference manually in Leases.
A future OPNsense update could leverage the hostwatch data to auto-register SLAAC clients in DNS, maybe? It could discover and track the temporary addresses this way.
🤞
Quote from: klinebau on February 24, 2026, 08:18:58 PMI am using dnsmasq with SLAAC and RA-NAMES. This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address.
I will have to re-check my Dnsmasq settings but this doesn't always work me. It works for clients in the DHCP pool but not for hosts entries.
Maybe I did something wrong.
RA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.
Quote from: klinebau on February 24, 2026, 08:18:58 PMI am using dnsmasq with SLAAC and RA-NAMES. This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address. I find this to be very convenient. It doesn't help with privacy addresses, but I generally don't need to reference those clients by name anyway.
How do I configure this option?
Many thanks
P
Since slaac unmanaged addresses never change on the clients, the client always chooses the same ipv6 address, can I also use a strategy where I just create AAAA on unbound for computers I need to dns resolve to? Is this correct?
I should note I have a /56 static from my provider.
If your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.
Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.
Quote from: meyergru on Today at 12:45:25 AMIf your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.
Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.
Seems like neither my ubuntu boxes or windows boxes have FFFE in the addresses so guess they all use private ip's.
However they also never seem to change ever. I have had many opportunities for them to change with things down for various changes and they seem to always get the exact same address always.
Is an override in unbound the same as setting an aaaa record? Am I right to assume the ipv6 wont change on clients?