Hi folks, first time poster. I've recently moved to OPNsense (26.1.10, running as a VM on Proxmox) from OpenWrt. The migration went really well for the most part, but there's one thing I can't figure out and would like help with please.
I have a PiHole running on my network (in docker on a different device to OPNsense), and use DHCP Option 6 to tell my clients to use it as their DHCP server, with Unbound on the OPNsense device as the fallback. This was all I had to do on OpenWrt to get all LAN client DNS queries to go via my PiHole and I replicated this in dnsmasq on OPNsense. My IPv6 clients didn't receive an IPv6 DNS server with OpenWrt.
Since moving to OPNsense I noticed that some of my devices had started showing ads again, but saw that PiHole was still serving (some) requests on the LAN.
OPNsense is configuring the IPv6 clients on the LAN to use it's Unbound service for DNS over IPv6, so I added DHCP Option 23 with the Pihole and Unbound servers' IPv6 addresses on dnsmasq hoping that would override whatever default setting was being applied.
My clients are acting on the DHCP Option 6 and configuring the PiHole and OPNsense as their IPv4 DNS servers, but ignoring the DHCP Option 23, and only configuring the OPNsense device for DNS over IPv6. Both DHCP Options are set to 'Force'.
Consequently:
a) IPv6 enabled devices prefer to use DNS over IPv6, and are only using Unbound on OPNsense (thus bypassing the PiHole)
b) IPv4 only devices are correctly using the PiHole as instructed via DHCP Option 6
I've tried both renewing DHCP leases and restarting my clients with no change in behaviour. I've checked that the PiHole is serving queries over IPv6.
How do I correctly tell my IPv6 clients to use the PiHole server?
Some IPv6 clients act in an unexpected way w/r to DHCPv6 and its options. For example, Android devices cannot use DHCPv6 at all but use router advertisements (RA) instead. Some can use the RDNSS option.
That being said, I use RA in "unmanaged" mode for many reasons, but mainly because that is guaranteed to work, but I do not use IPv6 DNS servers - those are not strictly needed if your clients can also do IPv4, because the IPv4 DNS server will also serve IPv6 adresses. This is all described here (https://forum.opnsense.org/index.php?topic=45822.0).
I would rather instruct OpnSense itself to make use of your PiHole as upstream server and not instruct clients to use that directly.
Alas, I cannot give much info about how to do it with DNSmasq, because I use Kea and Unbound. All I know is that DNSmasq has restrictions on its builtin RA mechanism, however, you can disable that and use RADVD instead.
Thank you, that's gone some way to explaining a previous problem I had.
When I initially set the OPNsense device up I tried setting my 'LAN IPv6 Configuration Type' to 'Identity Association' (as per some docs I found), but my LAN clients didn't receive an IPv6 configuration. Changing that to 'Track Interface (legacy)' "just worked", so I left it at that. It seems that this automatically configures a DHCPv6/RA for the LAN, and I suspect this ignores any changes made in the dnsmasq settings UI.
I assume, then, that I need to manually configure an RA or DHCPv6 range when using 'Identity Association'? I'll have a detailed read of your article you linked to and have a go at that. Thanks again.