LAN tracks WAN IPv6 propagates DNS servers from general setup

gothbert · August 27, 2017, 12:13:16 PM

Hi,

hosts in my LAN get IPv6 addresses from OPNsense LAN interface (track WAN). Besides they have
- either static IPv4 addresses and fixed IPv4 DNS servers configured
- or use the DHCP server on OPNsense to get a IPv4 lease and the IPv4 address of the DNS server.

DHCP correctly hands over the IPv4 address of OPNsense (configured to use resolver) as the DNS server. I have verified this with a tool (dhtest).

Unfortunately, the IPv6 addresses of both OPNsense and of the DNS servers entered in System: General setup are also present in the DNS configuration of the hosts that have no static DNS configured. This is undesirable because now e.g. my mobile devices use Google's name servers instead of my resolver on OPNsense as they give precedence to the IPv6 DNS server addresses.

IMHO, only the IPv6 address of OPNsense as DNS server should be propagated to the LAN and not all configured DNS servers. How can I turn this off?

Kind regards
Boris

jwe · August 28, 2017, 03:05:07 PM

I am not 100% sure how "Tracking" works,
but maybe you can set the correct DNS Servers in radvd and DHCPv6?
(Services=>DHCPv6=>Advertisements for radvd and Services=>DHCPv6=>Server for DHCPv6)

Thats what i did, but i am not using the tracking feature so... not sure if it works for you, but worth a try :)

franco · August 28, 2017, 03:13:40 PM

"Tracking" means requesting a prefix from a WAN-type interface connected to a friendly router for a LAN-type interface, so the prefix gets moved into an internal network, which works in IPv6 because there is no NAT.

gothbert · August 28, 2017, 09:50:34 PM

By what way are the DNS servers propagated at all to the hosts in the LAN? DHCPv6 and radvd are explicitly turned off, can't even be turned on on interfaces without static IPv6 address as it is the case for LAN tracking WAN.

franco · August 29, 2017, 09:52:13 AM

Radvd+dhcpc6 are used for tracking, unless "Directly send SOLICIT" is specified in which case dhcpc6 does the job on its own.

dhcp6c is also in charge of registering name servers. The cache files are...

# ls /var/etc/nameserver_v6*

Cheers,
Franco

gothbert · August 29, 2017, 08:42:10 PM

Thanks, Franco.

"Directly send SOLICIT" on LAN interface is checked (on).
/var/etc/nameserver_v6* does not exist.
radvd.conf exists with the following content:

Code Select

# Automatically Generated, do not edit                                                          
# Generated config for dhcp6 delegation from wan on lan                                         
interface igb1 {                                                                                
        AdvSendAdvert on;                                                                       
        MinRtrAdvInterval 3;                                                                    
        MaxRtrAdvInterval 10;                                                                   
        AdvLinkMTU 1500;                                                                        
        AdvOtherConfigFlag on;                                                                  
                prefix <prefix>/64 {                                                
                AdvOnLink on;                                                                   
                AdvAutonomous on;                                                               
                AdvRouterAddr on;                                                               
        };                                                                                      
        RDNSS <opensenseip6> 2001:4860:4860::8888 2001:4860:4860::8844 { };                                                                                              
        DNSSL <LANdomainname> { };                                                       
};

igb1 is WAN interface. <prefix> is the IPv6 prefix, <opensenseip6> is the IPv6 LAN address of the OPNsense box and <LANdomainname> the domain name for the hosts on the LAN.

Alright, that is where the Google nameservers come from in the IPv6 configuration of the hosts with no static DNS setup.

How can I turn this off?

Best regards
Boris

gothbert · September 02, 2017, 10:25:05 PM

Should I open a ticket on GitHub for this?

radvd should only serve the LAN IP of the OPNsense box via RDNSS if "Enable Forwarding Mode" is turned on in "Unbound DNS: General" options and not the configured nameservers in "System: General"

franco · September 03, 2017, 07:57:16 PM

Hi Boris,

Yes please.

"/var/etc/nameserver_v6* does not exist."

This may be why. But needs closer inspection still :)

Cheers,
Franco

gothbert · September 04, 2017, 07:25:43 PM

https://github.com/opnsense/core/issues/1806

LAN tracks WAN IPv6 propagates DNS servers from general setup

gothbert

August 27, 2017, 12:13:16 PM

jwe

August 28, 2017, 03:05:07 PM #1

franco

August 28, 2017, 03:13:40 PM #2

gothbert

August 28, 2017, 09:50:34 PM #3

franco

August 29, 2017, 09:52:13 AM #4

gothbert

August 29, 2017, 08:42:10 PM #5

gothbert

September 02, 2017, 10:25:05 PM #6

franco

September 03, 2017, 07:57:16 PM #7

gothbert

September 04, 2017, 07:25:43 PM #8