DNS Priority, IPv4, IPv6

[macklij]

I'm enjoying OPNsense and getting to grips with IPv6 on my network.

Background
In summary my setup is very simple: OPNsense on a little PC (https://www.aliexpress.us/item/3256805846674072.html - I really like it!), a couple of switches around the house, a UniFi Cloud Key 2 (no DHCP on this - it's all on the OPNsense) with a couple of UniFi access points.

The OPNSense setup is pretty basic. A WAN with both DHCP and DHCPv6 clients connecting to the ISP (Community Fibre London 1Gb symmetric), from which I get a CGNAT IPv4 address and a /56 IPv6.  On the LAN side I run a DHCPv4 service and let SLAAC do IPv6 addressing.

Question 1
In Windows clients on a wired LAN, I get DNS servers showing as follows using ipconfig /all:

Code Select Expand


DNS Servers . . . . . . . . . . . . .: 192.168.0.1
                                       1.1.1.1
                                       2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75


That's all good (IPv4 DNS server addresses are as set in DHCP service, nothing set in Router Advertisement, so using system settings).  My question is, how do I get the IPv6 DNS server address to have priority? Currently, if I do an nslookup it defaults to 192.168.0.1 as the DNS server.

Question 2:
On Wi-Fi, Windows clients don't show the IPv6 DNS server address in ipconfig /all (they do get IPv6 static and temp addresses and gateway):

Code Select Expand


DNS Servers . . . . . . . . . . . . .: 192.168.0.1
                                       1.1.1.1


However, netsh interface ipv6 show dnsservers does show that windows is getting the correct info from RA:

Code Select Expand


Configuration for interface "Wi-Fi"
    DNS servers configured through DHCP:  2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75
    Register with which suffix:           Primary only


So what's going on?

Even more curious:

On a couple of iPhones, in Settings>Wi-Fi>'network name'>Info>Configure DNS, all the DNS Servers are shown with the IPv6 DNS address last (just like Windows LAN). But after about 10 minutes following Wi-Fi being turned 'Off and On', the IPv6 DNS server address disappears.

On MacOS on Wi-Fi, it behaves just like Windows on LAN: i.e. Two IP 4 addresses followed by IPv6.

--------------------------------------

I figure the IPv6 info on the clients is just buggy (but I haven't ruled out UniFi as the issue either), but would be interested in peoples thoughts. 

From a strictly OPN perspective, I would ideally like the IPv6 DNS server address to be the highest priority. Is that something that OPNsense can do without enabling DHCPv6?

Thanks in advance :)

[CJ]

DNS doesn't really have a priority.  Generally all of the servers will be hit and the first returned result will be used.  Additionally, DNS servers aren't limited to returning the same IP version.

I don't have IPv6 on my network except for WAN to get IPv6 DNS servers as well as the IPv4 ones, so I can't really answer SLAAC vs DHCP6.

What do you get when you do an nslookup?  You should see both IPv4 and IPv6 results.

[macklij]

DNS doesn't really have a priority.  Generally all of the servers will be hit and the first returned result will be used.  Additionally, DNS servers aren't limited to returning the same IP version.

I don't have IPv6 on my network except for WAN to get IPv6 DNS servers as well as the IPv4 ones, so I can't really answer SLAAC vs DHCP6.

What do you get when you do an nslookup?  You should see both IPv4 and IPv6 results.

Thanks :)

Yes, its all working fine from that perspective - essentially it's the same DNS server with both iPv4 and IPv6 addresses.  It doesn't matter which address, v4 or v6 I query from, I get both IPv6 and IPv4 address results.

I am just intrigued. By default, both Windows and Mac OSs prefer IPv6 to IPv4, so why aren't they defaulting to the IPv6 address of a DNS server to do a lookup. I would expect nslookup google.com to return something like:

Code Select Expand


C:\>nslookup google.com
Server:  OPNsense.local
Address:  2a02:xxxx:xxxx:xxxx:xxxx:3d3:f56b:6d75  <<<AN IPv6 ADDRESS HERE

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4009:80b::200e
          216.58.212.238


rather than:

Code Select Expand


C:\>nslookup google.com
Server:  OPNsense.local
Address:  192.168.1.1  <<<RATHER THAN THE IPv4 ADDRESS HERE

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4009:80b::200e
          216.58.212.238


I know that turning off Interfaces>WAN 'Allow manual adjustment of DHCPv6 and Router Advertisements' turns on the OPNsense DHCPv6 service and the priority of DNS servers then changes to:

Code Select Expand


DNS Servers . . . . . . . . . . . . .: 2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75 
                                       192.168.0.1
                                       1.1.1.1

Then, a default nslookup is via an IPv6 address rather than IPv4. (I don't want to use DHCPv6 because SLAAC allows Windows IPv6 Privacy extensions to work nicely.)

It's not a big deal but, as said above, modern OSs are meant to prioritise IPv6 over IPv4. I don't know if OPN is able to achieve this IPv6 priority using DHCPv4 and router advertising for IPv6, or whether its something that Windows and Mac do, prioritising DHCPv4 over IPv6 info from SLAAC.

[Maurice]

In dual-stack networks, there's not a lot the router / firewall can do to enforce one protocol over the other. That's up to the clients. Windows e.g. is known to prefer DNS servers assigned via DHCP over those assigned via RAs. You could enable the DHCPv6 server in stateless mode to work around this specific issue.

In general, I prefer separate IPv6-only and IPv4-only LANs. Most devices these days don't really need IPv4 and go in the IPv6 LANs. The legacy stuff can't handle IPv6 anyway and goes in the IPv4 LAN. This gives you much more control over the network.

Cheers
Maurice

[CJ]

In general, I prefer separate IPv6-only and IPv4-only LANs. Most devices these days don't really need IPv4 and go in the IPv6 LANs. The legacy stuff can't handle IPv6 anyway and goes in the IPv4 LAN. This gives you much more control over the network.

Interesting.  Are you using tunnels or just letting each side hit that version of the site?

[macklij]

In dual-stack networks, there's not a lot the router / firewall can do to enforce one protocol over the other. That's up to the clients. Windows e.g. is known to prefer DNS servers assigned via DHCP over those assigned via RAs. You could enable the DHCPv6 server in stateless mode to work around this specific issue.
Cheers
Maurice

Thanks Maurice, especially for 'Windows e.g. is known to prefer DNS servers assigned via DHCP over those assigned via RAs.' That's what I suspected (as per last sentence of my previous post).

I'm intrigued about what my old Draytek was doing. I know I didn't have DHCPv6 enabled but was pretty sure that Windows reported DNS server addresses with IPv6 at the top of the list.  Perhaps I'm mistaken. I'll check in a week or two when I take OPNsense offline to add an extra NIC.

[macklij]

@maurice

Sorry - I feel a bit dumb, but a search isn't really helping. How do you enable DHCPv6 in stateless mode?

Thanks

[Maurice]

@CJ DNS64 / NAT64 allows devices in the IPv6-only LANs to access IPv4-only resources (both on the Internet as well as in the IPv4 LAN).

@macklij Most consumer routers by default enable both SLAAC (A flag in RAs) as well as a DHCPv6 server. OPNsense does this, too, when using the automatic mode ("Allow manual adjustment of DHCPv6 and Router Advertisements" disabled).

For stateless DHCPv6, set the Router Advertisements to "Stateless" and enable the DHCPv6 server, but don't specify an address range there.

[macklij]

For stateless DHCPv6, set the Router Advertisements to "Stateless" and enable the DHCPv6 server, but don't specify an address range there.

Perfect - thank you. I had, as a test, reverted to "Allow manual adjustment of DHCPv6 and Router Advertisements" disabled". It corrected the IPv6/IPv4 order thing, but I was getting additional IPv6 addresses - presumably one from DHCPv6, and Windows generated ones from SLAAC.

I have just tried your suggested stateless setting. It gets rid of the extra permanent IPv6. On wired LAN windows client it's good, albeit it with repeated IPv6 DNS server addresses. On a Wi-Fi windows clients, ipconfig /all doesn't show any IPv6 DNS server addresses at all!

I'll play a little longer, but suspect I will eventually give up on this one!

Thanks again

[Maurice]

Yes, in automatic mode, the DHCPv6 server is active and assigns addresses (in addition to the SLAAC addresses). This is for maximum compatibility with all kinds of clients (some don't support SLAAC).

Duplicate DNS server address in Windows is normal when using DHCPv6 + RA RDNSS. Nothing to worry about.

Different behaviour on Wi-fi might be an AP or client issue. Haven't seen this before.

[macklij]

Thanks @Maurice

I suspect the UniFi Access points and controller aren't playing too nicely with SLAAC DNS server addresses. The update below shows that the SLAAC / RA advertised 2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75 address doesn't reliably get though to any Wi-Fi clients. The ones entered in DHCPv6 settings do get through, so all is good.

For maximum compatibility I won't let anyone with an Android device enter the house.  :D

Thanks again - it's appreciated.

[macklij]

QUICK UPDATE

I set:
Interfaces>LAN to 'Allow manual adjustment of DHCPv6 and Router Advertisements' (checked);
Services>Router Advertisements>LAN Router Advertisements to 'Stateless';
Services>DHCPv6>LAN to enabled; no range entered; and DNS servers of fe80::5a9c:fcff:fe10:6d75 (link-local of my OPNsense) and 2606:4700:4700::1111 (Cloudflare).

On Windows on wired LAN I get DNS servers listed as follows:

Code Select Expand


   DNS Servers . . . . . . . . . . . : fe80::5a9c:fcff:fe10:6d75%9
                                       2606:4700:4700::1111
                                       192.168.0.1
                                       1.1.1.1
                                       2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75 (note: global address of OPNsense LAN interface)


On Windows on WiFi, I get the same but without the 2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75 which I think is via SLAAC / RA.

iPhones give the same but IPv4 first. I.e.
192.168.0.1;
1.1.1.1;
fe80::5a9c:fcff:fe10:6d75 and
2606:4700:4700::1111.
No 2a02 global address.

I can't face turning on my wife's Mac but I suspect similar to Windows on Wi-Fi.

It looks very much as if my UniFi Access Points or Controller aren't passing through DNS server addresses from Router Advertisements.  I wonder if its a multicast thing? (Does client router solicitation use multicast??)

Anyway, wine and food are calling. Thanks for listening, and I hope it's of use to someone, sometime.

[Maurice]

RAs are multicasts indeed, but if RAs were blocked, IPv6 Internet access wouldn't work at all on Wifi. Does it?

[macklij]

Yes, IPv6 works well. At the start of the day, only IPv4 DNS server addresses were listed, but of course  DNS lookups still received IPv6 addresses info and all worked.

Since doing the stateless DHCPv6 with the IPv6 addresses, I know get DNS server IPv6 addresses on Wi-Fi devices as well.  It's just the one's created from SLAAC info that are hit and miss. Sometimes they appear, sometimes not. Hence my thinking that somethings going on with multicast.

One for another day!

[Maurice]

That's a rather special issue indeed. Maybe the AP tries to be smart and somehow "optimises" RAs? Some do multicast to unicast coversion for example (because multicasts can be a headache over Wifi).
You'd have to do a packet capture on an affected device to verify.