How to map all outbound DNS requests to the local resolver in IPv6 networks?

[Blatancy2409]

In my IPv4 networks, I map all outgoing DNS requests to the local unbound server.

I recreated the same NAT rule for IPv6, but it does not appear to work. There is even nothing in the logs.

I also checked that unbound is listening to ::1 locally by login in into the opnsense shell and executing dig from there.

Edit: when the rule is active no external ipv6 DNS servers are working either. So opnsense does intercept traffic but fails to redirect ti to the loopback interface for some reason.

[tiermutter]

For some reason ::1 don't work for me too.
Instead I'm using the Sense's ULA, created as virtual IP.

[Blatancy2409]

Worked with ULA. This is REALLY not obvious....

[Taunt9930]

Worked with ULA. This is REALLY not obvious....

Any pointers for someone that doesn't know what they're doing? 

Thanks if you have the time!

[tiermutter]

To use ULA (ask google ) you need to create a virtual IP (ULA) for the sense. This virtual IP is static and can be used to address the sense, instead of using loopback (::1) or GUA with changing prefix.Thats all for this usecase...

[Blatancy2409]

What I did (if someone finds this in Google):

1. Generate a ULA (unique local address) here https://dnschecker.org/ipv6-address-generator.php
2. Create a Virtual IP and assign it to the loopback interface. Not to worry if the UI shows a /32 subnet when you enter an IP in the Virtual IP field, it switches to the IPv6 format right after you enter an IPv6 address. Using the generated prefix above I entered an IP something like this: fd7f:a69c:b042:48ab::beef/64
3. In the NAT rule use fd7f:a69c:b042:48ab::beef as the redirect target IP
4. At this point NAT forwarding should work, one can check it from one of the machines in your network:

$ dig @fd:: AAAA google.com

if the above works - the DNS queries are forwarded to your unbound.

5. But that's not all! As fd7f:a69c:b042:48ab::beef is a perfectly valid IPv6 address, your opnsense box can be accessed by this address from ANY downstream network. Yes, you can access a loopback interface from an external network, IPv6 is weird... Technically you can generate a random address and since nobody knows it, you should be good. But security by obscurity is not the way to go!
6. What you should do is block all ULAs in your "Allow internet rule" in the same way as you are blocking RFC1918 addresses for IPv4. Create an alias called ULA with the value fd00::/8.  Then allow all IPv6 traffic except the ULA group.
7. If you ever will use ULA for the local stuff, just add additional rules for the used ULAs subnets.


PS. IPv6 is freaking hard. There is not much info on the interwebs, especially for hobbyists like myself. I'm glad that I can use the external IPv6 internet from all of my networks. Will I use it for the local stuff? Probably no, I don't see much value, honestly. The only benefit is that I will never experience a local address collision with some other networks. But again, it is probably almost impossible to go IPv6 only (not all devices support IPv6), but supporting a double stack is a pain with no real benefit.