[SOLVED] DNSv6 automatically advertised in ISC DHCP

[BiTRiP]

Hello,

When I run the DNS service on OPNSense, the IPv6 number of the router is automatically advertised with DHCP leases while I have only one IPv4 configured there.
This IPv4 number is of my Pi-hole server that is the main DNS server so I don't want let hosts use the IPv6 address directly but ONLY use the pi-hole server.

The reason I also have OPNSense DNS setup is because of resolving hostnames set by DHCP. So this is configure as conditional DNS server in PiHole config.

How can I prevent ISC DHCP also give the IPv6 address with all leases?

[Patrick M. Hausen]

Have you set the DNS servers in the DHCP settings for that interface explicitly? I suspect you did not so it uses all local addresses of the firewall including IPv6. If you set them it should olnly hand out those explicitly set.

[doktornotor]

Beyond the above, obscuring DNS server IPs is not the way how you force clients to use a particular DNS server.

https://labzilla.io/blog/force-dns-pihole

[BiTRiP]

Have you set the DNS servers in the DHCP settings for that interface explicitly? I suspect you did not so it uses all local addresses of the firewall including IPv6. If you set them it should olnly hand out those explicitly set.

Yes I have, but while I only have set 1 ip address there (192.168.2.17) my clients receive this nummer together with IPv6 of the router as DNS.
When I disable DNS server on the router, the DHCP only gives the IPv4 like i've set.

[BiTRiP]

Beyond the above, obscuring DNS server IPs is not the way how you force clients to use a particular DNS server.

https://labzilla.io/blog/force-dns-pihole

Forcing my clients to use a particular DNS server is done via DHCP, like it should be.
But this DHCP gives more ip's than is configured....that is the whole problem.

[doktornotor]

Forcing my clients to use a particular DNS server is done via DHCP, like it should be.

Well, that does not force anything...

[franco]

When I run the DNS service on OPNSense, the IPv6 number of the router is automatically advertised with DHCP leases while I have only one IPv4 configured there.
This IPv4 number is of my Pi-hole server that is the main DNS server so I don't want let hosts use the IPv6 address directly but ONLY use the pi-hole server.

Solutions:

A) Turn off Dnsmasq, Unbound or whatever DNS service you have running on OPNsense or move them to a port that is not 53, or

B) Set the PiHole IPv6 in the DHCPv6/RA settings?!

[BiTRiP]

Ok let me ask the other way then:

Why is the IPv6 of OPNSense automatically pushed to DHCP clients even when it's not configured in DHCP server?
It doesn't make sense to me...

[franco]

To give your IPv6 clients the ability to resolve DNS. Why are you giving them DHCPv6? And if you didn't do it intentionally ... do you even want to give them DHCPv6? You can turn that off too...


Cheers,
Franco

[BiTRiP]

I do want to use DHCPv6 and give them the ability to resolve DNS but not by the OPNSense router.

You could say to turn off DNS server at OPNSense to prevent that but I use that service for other purposes.

As far as I know there is no option to set custom IPv6 address in the DHCP options instead of (automatically) OPNSense address?

[franco]

You have to know that setting the respective "LAN" interface in "Track Interface" IPv6 mode will automatically configure DHCPv6 and Router Advertisements. If you want better control over this you set this LAN interface to "Allow manual adjustment of DHCPv6 and Router Advertisements" in which case you can see the DHCPv6 and Router Advertisement options in the service menu and can configure both. But note that setting the manual mode will disable both services so you need to configure and enable them manually as the setting suggest. And there, finally, you can feed a different IPv6 DNS server.


Cheers,
Franco

[BiTRiP]

You have to know that setting the respective "LAN" interface in "Track Interface" IPv6 mode will automatically configure DHCPv6 and Router Advertisements. If you want better control over this you set this LAN interface to "Allow manual adjustment of DHCPv6 and Router Advertisements" in which case you can see the DHCPv6 and Router Advertisement options in the service menu and can configure both. But note that setting the manual mode will disable both services so you need to configure and enable them manually as the setting suggest. And there, finally, you can feed a different IPv6 DNS server.


Cheers,
Franco

This was a really helpful answer. I got it all working now like I wanted.
First I had to enable "Allow manual adjustments of DHCPv6 and Router Advertisments" at LAN interface options. Then I created a subnet in the DHCPv6 with a specified DNS server (my PiHole).

At first i didn't get any IPv6 addres anymore but I had to enable RA in OPNSense. I chose for "Managed" and voila I got IPv6 with the PiHole as DNS server but unfortunately ALSO the router. Then I checked "Use the DNS configuration of the DHCPv6 server" in the RA options and now I only got the right IP advertised.

Thanks for suggestions and solution.

Cheers,
BiTRiP

[franco]

Happy it works now


Cheers,
Franco