Unbound Overrides with Dual Stack

Started by dcrdev, May 05, 2025, 06:01:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 05, 2025, 06:01:51 PM
After much pain I have finally managed to get ipv6 working in OPNSense and I am now looking to get DNS working properly.

Currently I am creating overrides and aliases to take care of my internal services and this is very much geared towards ipv4 at the moment. My question is what is best practice here for dual stack?

It seems that a constraint of the GUI is that a single host override can either be of type A or AAAA and that a single alias can only point to a single host override.

Should I be duplicating my host override and then duplicating every alias to point to it? Something about that doesn't seem right to me as there will be a tonne of duplication.
May 05, 2025, 06:18:04 PM #1
Just my 2cents:

Practically speaking, it is sometimes infeasible to do this without much effort. For example, many ISPs hand out dynamic IPv6 prefixes only, so you cannot easily define local DNS entries for IPv6, apart from using ULA ranges.

However, GUA IPv6 is used for outbound access (but needs no internal names) and if used for inbound access, you would need GUA IPs and probably dynamic prefixes anyway.

IPv6 was invented because of the scarcity of routeable IPv4, which is not a problem for your local networks using RFC1918. Thus, for internal adressing, you can just keep IPv4 as it is, saving a lot of (uneccessary, IMHO) work.

Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 06, 2025, 04:04:09 PM #2
Had my first proper go with IPv6, and I've got to say I'm not a fan. As you suggested, I skipped DNS entries - aside from my DNS server, for which I assigned a ULA to give it a static address for advertisement.

What I've discovered is that if you're relying on dynamic prefix delegation, you're essentially stuck when it comes to static addressing. Even ULAs seem to be deprioritised in favour of IPv4 by most operating systems.

It does make you wonder—why do ISPs issue dynamic prefixes when one of the main selling points of IPv6 is having enough address space to eliminate the need for NAT?
May 06, 2025, 06:42:50 PM #3
Mostly because fixed IPs of any kind are prone to be used for commercial purposes, for which feature they want to make you pay extra. For residential access, the scarcity of IPv4 is not a problem in the view of most ISPs. Many of them do CG-NAT, which also prevents you from hosting services (which is deemed a business feature), with some do not even give you a paid option to have a (dynamic) IPv4.

Sometimes I get the impression that most ISPs do IPv6 only because it is simpler than to do any kind of IPv4-to-IPv6 translation, which they would need to access IPv6-only sites that already exist in the pacific area. And for that, you only need working outbound IPv6 - as said, they are not interested in your hosting of services...

Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions