What's new

IPv6 ip6tables nat redirect for dns queries

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

j.arsenault

New Around Here
Hello,

I've been trying to figure out how to force all of my google devices to use my pi-hole dns server, but it appears that if I redirect the ipv4 addresses via nat, the nest mini, nest-hub, and chromecasts all start using ipv6 for resolution, and the majority of the time it sends the requests to googles ipv6 dns servers.

There was an issue created a few years ago in github to include the nat table and associated modules for ipv6 to support this kind of redirection, and i'm close to enabling the required settings in a development build, but would it be easy enough to modify the project to include these by default? I'm on an AC86U and am using 384.18 as a base.
 
Bash:
ip6tables -I OUTPUT -d 2001:4860:4860::8888/64 -j REJECT
ip6tables -I FORWARD -d 2001:4860:4860::8888/64 -j REJECT
ip6tables -I OUTPUT -d 2001:4860:4860::8844/64 -j REJECT
ip6tables -I FORWARD -d 2001:4860:4860::8844/64 -j REJECT

I added above to my firewall-start script in /jffs/scripts to block hardcoded IPV6 DNS queries.. not sure if this is the best way but it works for me.
 
This works for me sending to my Pi-hole
dnsmasq.postconf

Bash:
#!/bin/sh
sed -i "s/dhcp-option=lan,option6:23,.*/dhcp-option=lan,option6:23,[fe80::da16:4c05:d30d:efd6]/" $1
echo "dhcp-option=lan,6,10.10.100.2" >> $1
 
I was able to successfully build the mainline branch at 384.18 with all of the ipv6 nat stuff compiled into the kernel, but the commands i'm using now require entwares ip6tables version instead of what is packaged with the image. If the version needed is I believe at least 1.4.18, but entware is at 1.4.21. It seems to work fine, but I can't seem to get the nat-start or post-mount scripts to run after entware has been mounted to change the links to the entware version.

If I change the iptables source in the src/router to be 1.4.18 or 1.4.21 instead of 1.4.15 will that cause any issues? How would I go about doing this if it is safe to do so?
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top