Is there an official or recommended way to forward all ipv6 DNS requests?

[Ground_0]

I am sure many of us have found this excellent tutorial: https://forum.opnsense.org/index.php?topic=9245.0
which I am using, and it works great for ipv4.
Further down in the thread some people have inquired as to an equivalent method for ipv6, without any real consensus.
Of course, there are a few more threads around the web asking similar questions, but none seem to have any real traction.
I am currently using DNS over TLS. My ISP is dual-stack ipv4/6 and I am utilizing ipv6 (LAN tracking WAN)
Unfortunately, I can't really find any official documentation addressing this scenario. The official unbound docs state:

Should clients query other nameservers directly themselves, a NAT redirect rule to 127.0.0.1:53 (the local Unbound service) can be used to force these requests over TLS.

(from https://docs.opnsense.org/manual/unbound.html)
So, with this in mind, as well as the fact that, I believe, ipv6 ignores NAT, I am compelled to ask the community for an official or correct, or at least, clean and recommended method to forward ipv6 DNS requests (for an Opnsense beginner).
Thank you!

[DEC670airp414user]

I use this method
https://quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls


link doesn't work to great. click setup guide > open source routers > opnsense encrypted

[Ground_0]

Yes, that is the exact method I am using and thank you for your time.
However, my question is bit more specific; I am wondering how to forward ALL DNS (port 53) ipv6 requests on the lan and force them to use unbound DoT port 853.
(For instance, some clients may 'go rogue' and try to use 2606:4700:4700::1111 when I want them to use 2001:4860:4860::8888)

[Ground_0]

Here are my Firewall LAN rules.
Is this an effective strategy for IPV6?

Edit: No image hosting allowed?
Interface:LAN
TCP/IP ver:IPV6
Protocol: TCP/UDP
Destination Invert: checked
Destination: LAN address
Destination Port Range: DNS, DNS
Redirect Target IP: Single Host or Network: ::1
Redirect Target Port: DNS
NAT Reflection: Default

The IPV6 rule is nearly identical to the ipv4 rule, but is using ::1 instead of 127.0.0.1

[almodovaris]

Disabling clients from using their own DoT, DoH, or DoQ is a complicated matter. Against DoT you have Zenarmor. Against DoQ you can block QUIC in Zenarmor. But DoH blocking is a lot more complicated, unless you have an exhaustive list of all DoH servers. The problem is that anyone may start a DoH server, so such list is never foolproof.

Correction: Zenarmor blocks DoH, not DoT. But the problem that anyone may create their own DoH server persists. DoH is indistinguishable from regular HTTPS traffic. Technically, Zenarmor can inspect HTTPS connections, but that breaks much of the internet and smartphone apps.

[Ground_0]

Disabling clients from using their own DoT, DoH, or DoQ is a complicated matter. Against DoT you have Zenarmor. Against DoQ you can block QUIC in Zenarmor. But DoH blocking is a lot more complicated, unless you have an exhaustive list of all DoH servers. The problem is that anyone may start a DoH server, so such list is never foolproof.

Correction: Zenarmor blocks DoH, not DoT. But the problem that anyone may create their own DoH server persists. DoH is indistinguishable from regular HTTPS traffic. Technically, Zenarmor can inspect HTTPS connections, but that breaks much of the internet and smartphone apps.

Thank you for the insight.
I guess my follow up question would be, is there a way to forward ipv6 DNS requests akin to the ipv4 tutorial at https://forum.opnsense.org/index.php?topic=9245.0 ?
There seems to be no guides or consensus on a workable solution that I can find.

[Patrick M. Hausen]

Out of curiosity I tried your setup:

Source: *
Destination: !LAN address
Destination port: 53
Protocol: IPv6, TCP/UDP
Redirect: ::1
Rule association: pass

The redirection seems to work just fine:

Code: [Select]

root@opnsense:~ # tcpdump -i lo0 -n port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo0, link-type NULL (BSD loopback), snapshot length 262144 bytes
15:03:35.584046 IP6 2003:a:d59:******.18249 > ::1.53: 63442+ [1au] A? www.heise.de. (53)
15:03:40.585240 IP6 2003:a:d59:******.48087 > ::1.53: 63442+ [1au] A? www.heise.de. (53)

But Unbound seems unwilling to answer on that socket:

Code: [Select]

2024-08-25T15:03:45 Notice unbound [55765:0] notice: sendmsg failed: Invalid argument
So I tried AdGuard Home instead - same result.

Maybe in IPv6 ::1 as a source address is not possible? In the IPv4 setup 127.0.0.1 is necessary so NAT works in both directions via the state tracking without an explicit rule on the internal interface.

Kind regards,
Patrick

[Ground_0]

Thank you as well, Patrick.
I'll keep searching.