Merlin wrt Asus AX88U two pinholes unbound ipv6

donnikhan

Occasional Visitor
In this thread I am attempting to list my various settings with the hopes of either confirming this is the right set up, or discovering where I might have messed something up. The goal here is to have a primary and backup Pihole, running unbound that will filter all dns traffic via IPv4 and IPv6.

Router LAN- DHCP Server Page:
Screen Shot 2022-06-04 at 12.05.16 PM.png


DNSFilter page:
This is routing all DNS traffic through (I hope) the piholes, except for the piholes themselves
Screen Shot 2022-06-04 at 12.07.55 PM.png

WAN - Internet Connection page
I am shamelessly copying user SomeWhereOverTheRainBow's setup because I believe this gives me DoT as a bonus?
Screen Shot 2022-06-04 at 12.09.59 PM.png


IPv6 Page:
Screen Shot 2022-06-04 at 12.15.21 PM.png


Setting up the JFFS script since the router ignores what you do in the UI:
  1. SSH into router
  2. nano /jffs/scripts/dnsmasq.postconf
  3. Paste
    1. Code:
      #!/bin/sh
      CONFIG=$1
      source /usr/sbin/helper.sh
      
      pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[PIHOLE1IPv6,PIHOLE2IPV6]" $CONFIG
      sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
      pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
  4. chmod 755 /jffs/scripts/dnsmasq.postconf
  5. Reboot router

Ok on to the pihole settings:
Unbound config on both piholes:
Code:
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes
    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"
    # Trust glue only if it is within the server's authority
    harden-glue: yes
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes
    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance en>
    num-threads: 1
    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Pihole DNS settings:
Screen Shot 2022-06-04 at 12.29.15 PM.png
 

donnikhan

Occasional Visitor
last missing screenshot from pihole settings
 

Attachments

  • Screen Shot 2022-06-04 at 12.29.27 PM.png
    Screen Shot 2022-06-04 at 12.29.27 PM.png
    435 KB · Views: 39

dave14305

Part of the Furniture
Wouldn’t you want each pi-hole to point upstream to its Unbound instance 127.0.0.1#5335?

I don’t really see where the router’s dnsmasq nor DoH matters in the setup you described. It would rarely be used.
 

eibgrad

Part of the Furniture
I don't understand the point of using DoT on the WAN in this particular configuration.

Normally DoT causes the router to run Stubby as a local process, where DNSMasq is then reconfigured to *only* use it for upstream DNS resolution. As a result, I would think 192.168.50.2 and 192.168.50.3 as defined in the DHCP server would be ignored, esp. since your DNS filter is redirecting everything but the piholes to DNSMasq (Router).

This just doesn't seem right. If you wanted to use Stubby too, it would make a lot more sense if your pihole was configured to use DoT, NOT the router.

Or to put it another way, it's unclear in the current configuration exactly WHAT is the primary controlling mechanism when it comes to DNS. Unbound? DNSMasq? Stubby? The DNS filter(s)? It's confusing, and perhaps unnecessarily so.
 

dave14305

Part of the Furniture
As a result, I would think 192.168.50.2 and 192.168.50.3 as defined in the DHCP server would be ignored, esp. since your DNS filter is redirecting everything but the piholes to DNSMasq (Router).
When LAN DHCP DNS 1 is populated, it becomes the target of DNSFilter Router mode.

But I agree, it is a confusing setup.
 

SomeWhereOverTheRainBow

Part of the Furniture
Here is mine with my two piholes
1654380960643.png

DNSFilter points at the router himself
1654381017768.png

^^^Piholes are manually assigned addresses below in manual assignment && LAN DNS 1 and 2 are blank:oops::oops::oops::oops::eek::eek::eek::eek::eek::eek::eek::eek:^^^

1654381074104.png

^^^wan DNS 1 and wan DNS2 point to both piholes^^^

1654381282939.png

^^for ipv6^^^
define all local networks using dnsmasq.conf.add ( or dnsmasq.postconf)

Code:
local=/168.192.in-addr.arpa/
local=/your reverse arpa for ipv6.ip6.arpa/
local=/10.in-addr.arpa/
add-mac
add-subnet=32,128

On each of your piholes you have to define a static ipv6 by utilizing /etc/dhcpcd.conf it will usually use the same prefix as the parent ipv6 network.
(you can also make your ipv4 addresses static here as well)

Each of your pihole will have to use your unbound addresses as their custom upstream address. your piholes should be set to point back to the routers domain and network for reverse lookups.
 

SomeWhereOverTheRainBow

Part of the Furniture
for "your reverse arpa for ipv6" is that the ipv6 arpa for one of the piholes or for the router?
Placing the local addresses inside the routers dnsmasq is critical so the router knows not to try to forward the request to one of the other piholes (creating a bad dns loop).

You might want to consider adding

local=//

To your router's dnsmasq to cover unqualified names as well.
 

donnikhan

Occasional Visitor
Placing the local addresses inside the routers dnsmasq is critical so the router knows not to try to forward the request to one of the other piholes (creating a bad dns loop).

You might want to consider adding

local=//

To your router's dnsmasq to cover unqualified names as well.
ah interesting, so at the end my dnsmasq.postconf should look like the following?

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[2603:>
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
<dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128
 

SomeWhereOverTheRainBow

Part of the Furniture
ah interesting, so at the end my dnsmasq.postconf should look like the following?

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[2603:>
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
<dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128
You need to use
Code:
pc_append "local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128" $CONFIG
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
ah interesting, so at the end my dnsmasq.postconf should look like the following?

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[2603:>
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
<dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128
Remove the pc_replace line, and you may want to remove the third line as well because it looks like you are missing stuff.

I will send you a more up-to-date version once I have access to my home terminal. Currently at work.
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
ah interesting, so at the end my dnsmasq.postconf should look like the following?

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[2603:>
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
<dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128
as promised. here is a revised version..

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,ra-names,slaac,64,infinite" $CONFIG
pc_append "add-mac
add-subnet=32,128
all-servers
local=/$(nvram get lan_ipaddr | awk 'BEGIN{FS="."}{print $2"."$1".in-addr.arpa"}')/
local=/$(nvram get ipv6_prefix | awk -F: '{for(i=1;i<=NF;i++)x=x""sprintf (":%4s", $i);gsub(/ /,"0",x);print x}' | cut -c 2- | cut -c 1-20 | sed 's/://g;s/^.*$/\n&\n/;tx;:x;s/\(\n.\)\(.*\)\(.\n\)/\3\2\1/;tx;s/\n//g;s/\(.\)/\1./g;s/$/ip6.arpa/')/
local=/10.in-addr.arpa/
local=//" $CONFIG
 

donnikhan

Occasional Visitor
as promised. here is a revised version..

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,ra-names,slaac,64,infinite" $CONFIG
pc_append "add-mac
add-subnet=32,128
all-servers
local=/$(nvram get lan_ipaddr | awk 'BEGIN{FS="."}{print $2"."$1".in-addr.arpa"}')/
local=/$(nvram get ipv6_prefix | awk -F: '{for(i=1;i<=NF;i++)x=x""sprintf (":%4s", $i);gsub(/ /,"0",x);print x}' | cut -c 2- | cut -c 1-20 | sed 's/://g;s/^.*$/\n&\n/;tx;:x;s/\(\n.\)\(.*\)\(.\n\)/\3\2\1/;tx;s/\n//g;s/\(.\)/\1./g;s/$/ip6.arpa/')/
local=/10.in-addr.arpa/
local=//" $CONFIG
Wow I've been living with bad DNS for like two years until I set this up.
as promised. here is a revised version..

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,ra-names,slaac,64,infinite" $CONFIG
pc_append "add-mac
add-subnet=32,128
all-servers
local=/$(nvram get lan_ipaddr | awk 'BEGIN{FS="."}{print $2"."$1".in-addr.arpa"}')/
local=/$(nvram get ipv6_prefix | awk -F: '{for(i=1;i<=NF;i++)x=x""sprintf (":%4s", $i);gsub(/ /,"0",x);print x}' | cut -c 2- | cut -c 1-20 | sed 's/://g;s/^.*$/\n&\n/;tx;:x;s/\(\n.\)\(.*\)\(.\n\)/\3\2\1/;tx;s/\n//g;s/\(.\)/\1./g;s/$/ip6.arpa/')/
local=/10.in-addr.arpa/
local=//" $CONFIG
I am noticing that local clients are listing the router ipv6 IP but the pihole's ipv4 IPs are listed. Also if i turn of "Enable Router Advertisement" I am resolving sites much faster since it looks like no ipv6 servers are listed in the client dns settings when I change it.
Screen Shot 2022-06-06 at 4.13.19 PM.png
Is it possible that the revised script is missing something?
 

Crimliar

Regular Contributor
I always thought that one of the fe80:: local IPv6 addresses on the Raspberry Pi was procedurally generated based on the MAC address.
 

SomeWhereOverTheRainBow

Part of the Furniture
Wow I've been living with bad DNS for like two years until I set this up.

I am noticing that local clients are listing the router ipv6 IP but the pihole's ipv4 IPs are listed. Also if i turn of "Enable Router Advertisement" I am resolving sites much faster since it looks like no ipv6 servers are listed in the client dns settings when I change it.
View attachment 41626Is it possible that the revised script is missing something?
I recommend on your piholes utilizing dnsmasq.d to add a conditional forwarding for your IPV6. For example, on my pihole I made a file called
/etc/dnsmasq.d/08-addnforwarding.conf
all I did was add a reverse server line here.

Code:
rev-server=ipv6:network:prefix::/64,lan:ipv6address:prefix::1

so if the network is 2666:999:990:282b::/64 , then the lan address is 2666:999:990:282b::1/64.

This makes all ipv6 address's that are resolvable by pihole to be resolvable.

Additionally, my /etc/pihole/pihole-FTL.conf

looks like this on both my piholes

Code:
BLOCKINGMODE=NULL
CNAME_DEEP_INSPECT=true
EDNS0_ECS=true
BLOCK_ESNI=true
IGNORE_LOCALHOST=yes
NAMES_FROM_NETDB=true
MAXLOGAGE=24.0
DBIMPORT=yes
MAXNETAGE=365
MAXDBDAYS=365
DBINTERVAL=1.0
REFRESH_HOSTNAMES=ALL
RESOLVE_IPV6=yes
RESOLVE_IPV4=yes
RATE_LIMIT=50000/60
MOZILLA_CANARY=true
PARSE_ARP_CACHE=true
BLOCK_ICLOUD_PR=true
PIHOLE_PTR=HOSTNAMEFQDN
SHOW_DNSSEC=true
PRIVACYLEVEL=0

Some of the options above include additional identification features that allow client ipv6 addresses to be identified. Some of the options you may want to research on Pihole wiki to determine if it is a type of behavior you would want.
 

SomeWhereOverTheRainBow

Part of the Furniture
I always thought that one of the fe80:: local IPv6 addresses on the Raspberry Pi was procedurally generated based on the MAC address.
Not when you are talking about devices within a private network via the router forwarding request to pihole, the router is acting as dhcp while pihole serves as a seperate DNS server relying on conditional forwarding to identify the requestor. the type of behavior you describe would be true if pihole was the acting DHCP server for the network.
 

dave14305

Part of the Furniture
Your revised config no longer pushes the Pis via option6:23.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top