LAN tracks WAN IPv6 propagates DNS servers from general setup

[gothbert]

Hi,

hosts in my LAN get IPv6 addresses from OPNsense LAN interface (track WAN). Besides they have
- either static IPv4 addresses and fixed IPv4 DNS servers configured
- or use the DHCP server on OPNsense to get a IPv4 lease and the IPv4 address of the DNS server.

DHCP correctly hands over the IPv4 address of OPNsense (configured to use resolver) as the DNS server. I have verified this with a tool (dhtest).

Unfortunately, the IPv6 addresses of both OPNsense and of the DNS servers entered in System: General setup are also present in the DNS configuration of the hosts that have no static DNS configured. This is undesirable because now e.g. my mobile devices use Google's name servers instead of my resolver on OPNsense as they give precedence to the IPv6 DNS server addresses.

IMHO, only the IPv6 address of OPNsense as DNS server should be propagated to the LAN and not all configured DNS servers. How can I turn this off?

Kind regards
Boris

[jwe]

I am not 100% sure how "Tracking" works,
but maybe you can set the correct DNS Servers in radvd and DHCPv6?
(Services=>DHCPv6=>Advertisements for radvd and Services=>DHCPv6=>Server for DHCPv6)

Thats what i did, but i am not using the tracking feature so... not sure if it works for you, but worth a try

[franco]

"Tracking" means requesting a prefix from a WAN-type interface connected to a friendly router for a LAN-type interface, so the prefix gets moved into an internal network, which works in IPv6 because there is no NAT.

[gothbert]

By what way are the DNS servers propagated at all to the hosts in the LAN? DHCPv6 and radvd are explicitly turned off, can't even be turned on on interfaces without static IPv6 address as it is the case for LAN tracking WAN.

[franco]

Radvd+dhcpc6 are used for tracking, unless "Directly send SOLICIT" is specified in which case dhcpc6 does the job on its own.

dhcp6c is also in charge of registering name servers. The cache files are...

# ls /var/etc/nameserver_v6*


Cheers,
Franco

[gothbert]

Thanks, Franco.

"Directly send SOLICIT" on LAN interface is checked (on).
/var/etc/nameserver_v6* does not exist.
radvd.conf exists with the following content:

Code: [Select]

# Automatically Generated, do not edit                                                         
# Generated config for dhcp6 delegation from wan on lan                                         
interface igb1 {                                                                               
        AdvSendAdvert on;                                                                       
        MinRtrAdvInterval 3;                                                                   
        MaxRtrAdvInterval 10;                                                                   
        AdvLinkMTU 1500;                                                                       
        AdvOtherConfigFlag on;                                                                 
                prefix <prefix>/64 {                                               
                AdvOnLink on;                                                                   
                AdvAutonomous on;                                                               
                AdvRouterAddr on;                                                               
        };                                                                                     
        RDNSS <opensenseip6> 2001:4860:4860::8888 2001:4860:4860::8844 { };                                                                                             
        DNSSL <LANdomainname> { };                                                       
};                                                                                              

igb1 is WAN interface. <prefix> is the IPv6 prefix, <opensenseip6> is the IPv6 LAN address of the OPNsense box and <LANdomainname> the domain name for the hosts on the LAN.

Alright, that is where the Google nameservers come from in the IPv6 configuration of the hosts with no static DNS setup.

How can I turn this off?

Best regards
Boris

[gothbert]

Should I open a ticket on GitHub for this?

radvd should only serve the LAN IP of the OPNsense box via RDNSS if "Enable Forwarding Mode" is turned on in  "Unbound DNS: General" options and not the configured nameservers in "System: General"

[franco]

Hi Boris,

Yes please.

"/var/etc/nameserver_v6* does not exist."

This may be why. But needs closer inspection still


Cheers,
Franco

[gothbert]

https://github.com/opnsense/core/issues/1806