Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
macOS automatically detecting gateway as IPv6 DNS server?
« previous
next »
Print
Pages: [
1
]
Author
Topic: macOS automatically detecting gateway as IPv6 DNS server? (Read 1417 times)
eddy
Newbie
Posts: 15
Karma: 4
macOS automatically detecting gateway as IPv6 DNS server?
«
on:
July 08, 2022, 02:58:57 am »
A little background:
I use
AdGuard Home
as the primary resolver in my OPNsense-based network, and then have
AGH
pointed at OPNsense (running Unbound) to resolve (static) DHCP names. (AGH runs in a container and does not have any IPv6 connectivity.)
Recently I noticed that macOS was sometimes bypassing AdGuard.
Looking at the output of
scutil --dns
on several Macs on the network, I noticed that macOS was
including the EUI-64 IPv6 address of the OPNsense LAN interface as a name server
, along with the IPv4 address defined in the DHCPv4 config.
radvdump
shows that there is no RDNSS or DNSSL being advertised.
I couldn't figure out where this was coming from!
I did some experimenting, and added this patch to
/usr/local/etc/inc/plugins.inc.d/unbound.inc
:
192a193,196
> if ($tmpadr != "::1" && $tmpaddr != "fe80::1%lo0" && strpos($tmpaddr, ":")) {
> continue;
> }
>
(The patch prevents Unbound from binding to any non-loopback IPv6 addresses.)
Lo and behold, it solved the problem! macOS no longer includes the EUI-64 address of the LAN interface as a DNS resolver. It would appear that macOS is "automagically" determining if the default gateway can answer DNS queries, and if it can, it adds it to the
s
ystem
c
onfiguration.
This behavior occurs whether
radvd
is configured as "Managed" or "Unmanaged".
Is there a supported way to prevent Unbound from binding to IPv6 addresses? Does the "Network Interfaces" configuration section for Unbound need to be enhanced to separate out IPv4 and IPv6 variants of each interface so it would be possible to bind to only IPv4 addresses on an interface?
Thanks for any insight!
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: macOS automatically detecting gateway as IPv6 DNS server?
«
Reply #1 on:
July 08, 2022, 08:58:25 am »
Hi eddy,
You can add firewall rules to prevent access to port 53 to "(self)" on LAN for IPv6.
It's the same approach one would use to prevent access to administrative resources like web GUI, etc.
Cheers,
Franco
Logged
eddy
Newbie
Posts: 15
Karma: 4
Re: macOS automatically detecting gateway as IPv6 DNS server?
«
Reply #2 on:
July 08, 2022, 09:35:38 pm »
Thanks for the reply.
I'll go ahead and implement that approach.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
macOS automatically detecting gateway as IPv6 DNS server?