What's new

Merlin wrt Asus AX88U two pinholes unbound ipv6

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

donnikhan

Occasional Visitor
In this thread I am attempting to list my various settings with the hopes of either confirming this is the right set up, or discovering where I might have messed something up. The goal here is to have a primary and backup Pihole, running unbound that will filter all dns traffic via IPv4 and IPv6.

Router LAN- DHCP Server Page:
Screen Shot 2022-06-04 at 12.05.16 PM.png


DNSFilter page:
This is routing all DNS traffic through (I hope) the piholes, except for the piholes themselves
Screen Shot 2022-06-04 at 12.07.55 PM.png

WAN - Internet Connection page
I am shamelessly copying user SomeWhereOverTheRainBow's setup because I believe this gives me DoT as a bonus?
Screen Shot 2022-06-04 at 12.09.59 PM.png


IPv6 Page:
Screen Shot 2022-06-04 at 12.15.21 PM.png


Setting up the JFFS script since the router ignores what you do in the UI:
  1. SSH into router
  2. nano /jffs/scripts/dnsmasq.postconf
  3. Paste
    1. Code:
      #!/bin/sh
      CONFIG=$1
      source /usr/sbin/helper.sh
      
      pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[PIHOLE1IPv6,PIHOLE2IPV6]" $CONFIG
      sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
      pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
  4. chmod 755 /jffs/scripts/dnsmasq.postconf
  5. Reboot router

Ok on to the pihole settings:
Unbound config on both piholes:
Code:
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes
    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"
    # Trust glue only if it is within the server's authority
    harden-glue: yes
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes
    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance en>
    num-threads: 1
    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Pihole DNS settings:
Screen Shot 2022-06-04 at 12.29.15 PM.png
 
last missing screenshot from pihole settings
 

Attachments

  • Screen Shot 2022-06-04 at 12.29.27 PM.png
    Screen Shot 2022-06-04 at 12.29.27 PM.png
    435 KB · Views: 102
I don't understand the point of using DoT on the WAN in this particular configuration.

Normally DoT causes the router to run Stubby as a local process, where DNSMasq is then reconfigured to *only* use it for upstream DNS resolution. As a result, I would think 192.168.50.2 and 192.168.50.3 as defined in the DHCP server would be ignored, esp. since your DNS filter is redirecting everything but the piholes to DNSMasq (Router).

This just doesn't seem right. If you wanted to use Stubby too, it would make a lot more sense if your pihole was configured to use DoT, NOT the router.

Or to put it another way, it's unclear in the current configuration exactly WHAT is the primary controlling mechanism when it comes to DNS. Unbound? DNSMasq? Stubby? The DNS filter(s)? It's confusing, and perhaps unnecessarily so.
 
As a result, I would think 192.168.50.2 and 192.168.50.3 as defined in the DHCP server would be ignored, esp. since your DNS filter is redirecting everything but the piholes to DNSMasq (Router).
When LAN DHCP DNS 1 is populated, it becomes the target of DNSFilter Router mode.

But I agree, it is a confusing setup.
 
Here is mine with my two piholes
1654380960643.png

DNSFilter points at the router himself
1654381017768.png

^^^Piholes are manually assigned addresses below in manual assignment && LAN DNS 1 and 2 are blank:oops::oops::oops::oops::eek::eek::eek::eek::eek::eek::eek::eek:^^^

1654381074104.png

^^^wan DNS 1 and wan DNS2 point to both piholes^^^

1654381282939.png

^^for ipv6^^^
define all local networks using dnsmasq.conf.add ( or dnsmasq.postconf)

Code:
local=/168.192.in-addr.arpa/
local=/your reverse arpa for ipv6.ip6.arpa/
local=/10.in-addr.arpa/
add-mac
add-subnet=32,128

On each of your piholes you have to define a static ipv6 by utilizing /etc/dhcpcd.conf it will usually use the same prefix as the parent ipv6 network.
(you can also make your ipv4 addresses static here as well)

Each of your pihole will have to use your unbound addresses as their custom upstream address. your piholes should be set to point back to the routers domain and network for reverse lookups.
 
for "your reverse arpa for ipv6" is that the ipv6 arpa for one of the piholes or for the router?
Router. So you take your ipv6 prefix and convert it to Arpa format, I would remove the 1 at the end though so the arpa knows to cover the whole network and not just the router himself.
 
for "your reverse arpa for ipv6" is that the ipv6 arpa for one of the piholes or for the router?
Placing the local addresses inside the routers dnsmasq is critical so the router knows not to try to forward the request to one of the other piholes (creating a bad dns loop).

You might want to consider adding

local=//

To your router's dnsmasq to cover unqualified names as well.
 
Placing the local addresses inside the routers dnsmasq is critical so the router knows not to try to forward the request to one of the other piholes (creating a bad dns loop).

You might want to consider adding

local=//

To your router's dnsmasq to cover unqualified names as well.
ah interesting, so at the end my dnsmasq.postconf should look like the following?

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[2603:>
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
<dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128
 
ah interesting, so at the end my dnsmasq.postconf should look like the following?

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[2603:>
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
<dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128
You need to use
Code:
pc_append "local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128" $CONFIG
 
Last edited:
ah interesting, so at the end my dnsmasq.postconf should look like the following?

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[2603:>
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
<dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128
Remove the pc_replace line, and you may want to remove the third line as well because it looks like you are missing stuff.

I will send you a more up-to-date version once I have access to my home terminal. Currently at work.
 
Last edited:
ah interesting, so at the end my dnsmasq.postconf should look like the following?

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[2603:>
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
<dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
local=/168.192.in-addr.arpa/
local=/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.x.x.x.0.x.x.0.0.0.x.x.0.x.x.ip6.arpa/
local=/10.in-addr.arpa/
local=//
add-mac
add-subnet=32,128
as promised. here is a revised version..

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,ra-names,slaac,64,infinite" $CONFIG
pc_append "add-mac
add-subnet=32,128
all-servers
local=/$(nvram get lan_ipaddr | awk 'BEGIN{FS="."}{print $2"."$1".in-addr.arpa"}')/
local=/$(nvram get ipv6_prefix | awk -F: '{for(i=1;i<=NF;i++)x=x""sprintf (":%4s", $i);gsub(/ /,"0",x);print x}' | cut -c 2- | cut -c 1-20 | sed 's/://g;s/^.*$/\n&\n/;tx;:x;s/\(\n.\)\(.*\)\(.\n\)/\3\2\1/;tx;s/\n//g;s/\(.\)/\1./g;s/$/ip6.arpa/')/
local=/10.in-addr.arpa/
local=//" $CONFIG
 
as promised. here is a revised version..

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,ra-names,slaac,64,infinite" $CONFIG
pc_append "add-mac
add-subnet=32,128
all-servers
local=/$(nvram get lan_ipaddr | awk 'BEGIN{FS="."}{print $2"."$1".in-addr.arpa"}')/
local=/$(nvram get ipv6_prefix | awk -F: '{for(i=1;i<=NF;i++)x=x""sprintf (":%4s", $i);gsub(/ /,"0",x);print x}' | cut -c 2- | cut -c 1-20 | sed 's/://g;s/^.*$/\n&\n/;tx;:x;s/\(\n.\)\(.*\)\(.\n\)/\3\2\1/;tx;s/\n//g;s/\(.\)/\1./g;s/$/ip6.arpa/')/
local=/10.in-addr.arpa/
local=//" $CONFIG
Wow I've been living with bad DNS for like two years until I set this up.
as promised. here is a revised version..

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,ra-names,slaac,64,infinite" $CONFIG
pc_append "add-mac
add-subnet=32,128
all-servers
local=/$(nvram get lan_ipaddr | awk 'BEGIN{FS="."}{print $2"."$1".in-addr.arpa"}')/
local=/$(nvram get ipv6_prefix | awk -F: '{for(i=1;i<=NF;i++)x=x""sprintf (":%4s", $i);gsub(/ /,"0",x);print x}' | cut -c 2- | cut -c 1-20 | sed 's/://g;s/^.*$/\n&\n/;tx;:x;s/\(\n.\)\(.*\)\(.\n\)/\3\2\1/;tx;s/\n//g;s/\(.\)/\1./g;s/$/ip6.arpa/')/
local=/10.in-addr.arpa/
local=//" $CONFIG
I am noticing that local clients are listing the router ipv6 IP but the pihole's ipv4 IPs are listed. Also if i turn of "Enable Router Advertisement" I am resolving sites much faster since it looks like no ipv6 servers are listed in the client dns settings when I change it.
Screen Shot 2022-06-06 at 4.13.19 PM.png
Is it possible that the revised script is missing something?
 
I always thought that one of the fe80:: local IPv6 addresses on the Raspberry Pi was procedurally generated based on the MAC address.
 
Wow I've been living with bad DNS for like two years until I set this up.

I am noticing that local clients are listing the router ipv6 IP but the pihole's ipv4 IPs are listed. Also if i turn of "Enable Router Advertisement" I am resolving sites much faster since it looks like no ipv6 servers are listed in the client dns settings when I change it.
View attachment 41626Is it possible that the revised script is missing something?
I recommend on your piholes utilizing dnsmasq.d to add a conditional forwarding for your IPV6. For example, on my pihole I made a file called
/etc/dnsmasq.d/08-addnforwarding.conf
all I did was add a reverse server line here.

Code:
rev-server=ipv6:network:prefix::/64,lan:ipv6address:prefix::1

so if the network is 2666:999:990:282b::/64 , then the lan address is 2666:999:990:282b::1/64.

This makes all ipv6 address's that are resolvable by pihole to be resolvable.

Additionally, my /etc/pihole/pihole-FTL.conf

looks like this on both my piholes

Code:
BLOCKINGMODE=NULL
CNAME_DEEP_INSPECT=true
EDNS0_ECS=true
BLOCK_ESNI=true
IGNORE_LOCALHOST=yes
NAMES_FROM_NETDB=true
MAXLOGAGE=24.0
DBIMPORT=yes
MAXNETAGE=365
MAXDBDAYS=365
DBINTERVAL=1.0
REFRESH_HOSTNAMES=ALL
RESOLVE_IPV6=yes
RESOLVE_IPV4=yes
RATE_LIMIT=50000/60
MOZILLA_CANARY=true
PARSE_ARP_CACHE=true
BLOCK_ICLOUD_PR=true
PIHOLE_PTR=HOSTNAMEFQDN
SHOW_DNSSEC=true
PRIVACYLEVEL=0

Some of the options above include additional identification features that allow client ipv6 addresses to be identified. Some of the options you may want to research on Pihole wiki to determine if it is a type of behavior you would want.
 
I always thought that one of the fe80:: local IPv6 addresses on the Raspberry Pi was procedurally generated based on the MAC address.
Not when you are talking about devices within a private network via the router forwarding request to pihole, the router is acting as dhcp while pihole serves as a seperate DNS server relying on conditional forwarding to identify the requestor. the type of behavior you describe would be true if pihole was the acting DHCP server for the network.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top