[SOLVED] DNSv6 automatically advertised in ISC DHCP

Started by BiTRiP, July 28, 2024, 10:51:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 28, 2024, 10:51:10 PM Last Edit: July 29, 2024, 10:57:12 PM by BiTRiP
Hello,

When I run the DNS service on OPNSense, the IPv6 number of the router is automatically advertised with DHCP leases while I have only one IPv4 configured there.
This IPv4 number is of my Pi-hole server that is the main DNS server so I don't want let hosts use the IPv6 address directly but ONLY use the pi-hole server.

The reason I also have OPNSense DNS setup is because of resolving hostnames set by DHCP. So this is configure as conditional DNS server in PiHole config.

How can I prevent ISC DHCP also give the IPv6 address with all leases?
July 28, 2024, 11:01:03 PM #1
Have you set the DNS servers in the DHCP settings for that interface explicitly? I suspect you did not so it uses all local addresses of the firewall including IPv6. If you set them it should olnly hand out those explicitly set.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 28, 2024, 11:04:32 PM #2
Beyond the above, obscuring DNS server IPs is not the way how you force clients to use a particular DNS server.

https://labzilla.io/blog/force-dns-pihole
July 28, 2024, 11:41:45 PM #3 Last Edit: July 28, 2024, 11:46:10 PM by BiTRiP
Quote from: Patrick M. Hausen on July 28, 2024, 11:01:03 PM
Have you set the DNS servers in the DHCP settings for that interface explicitly? I suspect you did not so it uses all local addresses of the firewall including IPv6. If you set them it should olnly hand out those explicitly set.

Yes I have, but while I only have set 1 ip address there (192.168.2.17) my clients receive this nummer together with IPv6 of the router as DNS.
When I disable DNS server on the router, the DHCP only gives the IPv4 like i've set.
July 28, 2024, 11:49:50 PM #4
Quote from: doktornotor on July 28, 2024, 11:04:32 PM
Beyond the above, obscuring DNS server IPs is not the way how you force clients to use a particular DNS server.

https://labzilla.io/blog/force-dns-pihole

Forcing my clients to use a particular DNS server is done via DHCP, like it should be.
But this DHCP gives more ip's than is configured....that is the whole problem.
July 29, 2024, 04:09:05 AM #5
Quote from: BiTRiP on July 28, 2024, 11:49:50 PM
Forcing my clients to use a particular DNS server is done via DHCP, like it should be.

Well, that does not force anything...
July 29, 2024, 08:38:21 AM #6
Quote from: BiTRiP on July 28, 2024, 10:51:10 PM
When I run the DNS service on OPNSense, the IPv6 number of the router is automatically advertised with DHCP leases while I have only one IPv4 configured there.
This IPv4 number is of my Pi-hole server that is the main DNS server so I don't want let hosts use the IPv6 address directly but ONLY use the pi-hole server.

Solutions:

A) Turn off Dnsmasq, Unbound or whatever DNS service you have running on OPNsense or move them to a port that is not 53, or

B) Set the PiHole IPv6 in the DHCPv6/RA settings?!
July 29, 2024, 04:21:59 PM #7

Ok let me ask the other way then:

Why is the IPv6 of OPNSense automatically pushed to DHCP clients even when it's not configured in DHCP server?
It doesn't make sense to me... :)



July 29, 2024, 04:45:46 PM #8
To give your IPv6 clients the ability to resolve DNS. Why are you giving them DHCPv6? And if you didn't do it intentionally ... do you even want to give them DHCPv6? You can turn that off too...


Cheers,
Franco
July 29, 2024, 05:33:55 PM #9
I do want to use DHCPv6 and give them the ability to resolve DNS but not by the OPNSense router.

You could say to turn off DNS server at OPNSense to prevent that but I use that service for other purposes.

As far as I know there is no option to set custom IPv6 address in the DHCP options instead of (automatically) OPNSense address?
July 29, 2024, 05:50:21 PM #10
You have to know that setting the respective "LAN" interface in "Track Interface" IPv6 mode will automatically configure DHCPv6 and Router Advertisements. If you want better control over this you set this LAN interface to "Allow manual adjustment of DHCPv6 and Router Advertisements" in which case you can see the DHCPv6 and Router Advertisement options in the service menu and can configure both. But note that setting the manual mode will disable both services so you need to configure and enable them manually as the setting suggest. And there, finally, you can feed a different IPv6 DNS server.


Cheers,
Franco
July 29, 2024, 10:56:24 PM #11 Last Edit: July 29, 2024, 10:59:13 PM by BiTRiP
Quote from: franco on July 29, 2024, 05:50:21 PM
You have to know that setting the respective "LAN" interface in "Track Interface" IPv6 mode will automatically configure DHCPv6 and Router Advertisements. If you want better control over this you set this LAN interface to "Allow manual adjustment of DHCPv6 and Router Advertisements" in which case you can see the DHCPv6 and Router Advertisement options in the service menu and can configure both. But note that setting the manual mode will disable both services so you need to configure and enable them manually as the setting suggest. And there, finally, you can feed a different IPv6 DNS server.


Cheers,
Franco

This was a really helpful answer. I got it all working now like I wanted.
First I had to enable "Allow manual adjustments of DHCPv6 and Router Advertisments" at LAN interface options. Then I created a subnet in the DHCPv6 with a specified DNS server (my PiHole).

At first i didn't get any IPv6 addres anymore but I had to enable RA in OPNSense. I chose for "Managed" and voila I got IPv6 with the PiHole as DNS server but unfortunately ALSO the router. Then I checked "Use the DNS configuration of the DHCPv6 server" in the RA options and now I only got the right IP advertised. :)

Thanks for suggestions and solution.

Cheers,
BiTRiP
July 30, 2024, 07:48:35 AM #12
Happy it works now :)


Cheers,
Franco
Print
Go Up Pages1
User actions