macOS automatically detecting gateway as IPv6 DNS server?

[eddy]

A little background:

I use AdGuard Home as the primary resolver in my OPNsense-based network, and then have AGH pointed at OPNsense (running Unbound) to resolve (static) DHCP names. (AGH runs in a container and does not have any IPv6 connectivity.)

Recently I noticed that macOS was sometimes bypassing AdGuard.

Looking at the output of scutil --dns on several Macs on the network, I noticed that macOS was including the EUI-64 IPv6 address of the OPNsense LAN interface as a name server, along with the IPv4 address defined in the DHCPv4 config.

radvdump shows that there is no RDNSS or DNSSL being advertised.

I couldn't figure out where this was coming from!

I did some experimenting, and added this patch to /usr/local/etc/inc/plugins.inc.d/unbound.inc:

192a193,196
>             if ($tmpadr != "::1" && $tmpaddr != "fe80::1%lo0" && strpos($tmpaddr, ":")) {
>                 continue;
>             }
>

(The patch prevents Unbound from binding to any non-loopback IPv6 addresses.)

Lo and behold, it solved the problem! macOS no longer includes the EUI-64 address of the LAN interface as a DNS resolver. It would appear that macOS is "automagically" determining if the default gateway can answer DNS queries, and if it can, it adds it to the system configuration.

This behavior occurs whether radvd is configured as "Managed" or "Unmanaged".

Is there a supported way to prevent Unbound from binding to IPv6 addresses? Does the "Network Interfaces" configuration section for Unbound need to be enhanced to separate out IPv4 and IPv6 variants of each interface so it would be possible to bind to only IPv4 addresses on an interface?

Thanks for any insight!

[franco]

Hi eddy,

You can add firewall rules to prevent access to port 53 to "(self)" on LAN for IPv6.

It's the same approach one would use to prevent access to administrative resources like web GUI, etc.


Cheers,
Franco

[eddy]

Thanks for the reply.

I'll go ahead and implement that approach.