IPv6 ip6tables nat redirect for dns queries

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

j.arsenault

New Around Here
Hello,

I've been trying to figure out how to force all of my google devices to use my pi-hole dns server, but it appears that if I redirect the ipv4 addresses via nat, the nest mini, nest-hub, and chromecasts all start using ipv6 for resolution, and the majority of the time it sends the requests to googles ipv6 dns servers.

There was an issue created a few years ago in github to include the nat table and associated modules for ipv6 to support this kind of redirection, and i'm close to enabling the required settings in a development build, but would it be easy enough to modify the project to include these by default? I'm on an AC86U and am using 384.18 as a base.
 

faux123

Regular Contributor
Bash:
ip6tables -I OUTPUT -d 2001:4860:4860::8888/64 -j REJECT
ip6tables -I FORWARD -d 2001:4860:4860::8888/64 -j REJECT
ip6tables -I OUTPUT -d 2001:4860:4860::8844/64 -j REJECT
ip6tables -I FORWARD -d 2001:4860:4860::8844/64 -j REJECT
I added above to my firewall-start script in /jffs/scripts to block hardcoded IPV6 DNS queries.. not sure if this is the best way but it works for me.
 

GHammer

Senior Member
This works for me sending to my Pi-hole
dnsmasq.postconf

Bash:
#!/bin/sh
sed -i "s/dhcp-option=lan,option6:23,.*/dhcp-option=lan,option6:23,[fe80::da16:4c05:d30d:efd6]/" $1
echo "dhcp-option=lan,6,10.10.100.2" >> $1
 

j.arsenault

New Around Here
I was able to successfully build the mainline branch at 384.18 with all of the ipv6 nat stuff compiled into the kernel, but the commands i'm using now require entwares ip6tables version instead of what is packaged with the image. If the version needed is I believe at least 1.4.18, but entware is at 1.4.21. It seems to work fine, but I can't seem to get the nat-start or post-mount scripts to run after entware has been mounted to change the links to the entware version.

If I change the iptables source in the src/router to be 1.4.18 or 1.4.21 instead of 1.4.15 will that cause any issues? How would I go about doing this if it is safe to do so?
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top