IPv6 DNS/TLS

[Deleted member 22229]

Just want to verify i have this set up properly. Do i understand correctly you must enter your IPv6 link local address found under system IPv6 tab and enter that as a DNS server under the IPv6 tab ? I picked 2 ipv4 and 2 ipv6 adresses from the drop down menu on the wan page and enabled DNS/TLS.

Also should i enable DNS filtering. And how should this be set up. Thanks !! ( Enabled this set it to router and entered the clients in the list. )

Apparently it does not work this site https://tenta.com/test Says TLS is not enabled although in the router it is. Does this feature actually work every time i try it it seems to fail.

 

[dave14305]

Just want to verify i have this set up properly. Do i understand correctly you must enter your IPv6 link local address found under system IPv6 tab and enter that as a DNS server under the IPv6 tab ?

Merlin will add [::] as the IPv6 DNS default server, which offers clients "the global address of the machine running dnsmasq". I don’t think there’s a compelling reason to override with the link local address, but you could also manip dnsmasq.conf to offer [fe80::] as the dns server.

Also should i enable DNS filtering. And how should this be set up. Thanks !! ( Enabled this set it to router and entered the clients in the list. )

IPv6 DNS Filter is a little different than IPv4 DNS Filter. IPv6 filtering relies on dnsmasq DHCP settings and rejecting anything besides those settings (since ip6tables doesn’t have a nat table). It should work just fine but it’s different.

Not everyone likes tenta.com accuracy. I have no personal experience.

 

[Deleted member 22229]

The reason i did what i did was looking at what Merlin wrote.

IMPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab.

I am hoping i have this configured correctly but am not sure.

 

[dave14305]

The reason i did what i did was looking at what Merlin wrote.

IMPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab.

I am hoping i have this configured correctly but am not sure.

To be accurate, that was added to the wiki by a user, and not RMerlin. I’m not sure I see why this would be required, but whatever it takes...I have IPv6 disabled at the moment.

History for DNS Privacy · RMerl/asuswrt-merlin.ng Wiki

Third party firmware for Asus routers (newer codebase) - History for DNS Privacy · RMerl/asuswrt-merlin.ng Wiki

github.com

 

[Paliv]

To be accurate, that was added to the wiki by a user, and not RMerlin. I’m not sure I see why this would be required, but whatever it takes...I have IPv6 disabled at the moment.

History for DNS Privacy · RMerl/asuswrt-merlin.ng Wiki

Third party firmware for Asus routers (newer codebase) - History for DNS Privacy · RMerl/asuswrt-merlin.ng Wiki

github.com

I know this is an older post now, but I didn't know about this and it seemed to not cause issues not having the link-local address there. In fact with DoT enabled I get IPV6 DNS servers from the DNS provider regardless of what's in here. Of course the only IPV6 DNS test I can find is browserleaks.com. So maybe I just have a blind spot.

 

[Paliv]

In case anyone goes looking for this, I’m not sure this message is relevant anymore:

“IMPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab.”

I tested for DNS leaks at several sites with IPV6 set to automatic and no DoT with Quad9 and the ISP DNS showed. Then I turned on DoT and left IPV6 set to automatic and no ISP DNS responses were shown. Just to save anyone else the time if you are wondering.