Something that is not dnsmasq advertising router's IPv6 ULA as a DNS server

i0ntempest

Occasional Visitor
Hi all,
So I am having a bit of a problem running pihole with Merlin firmware. I have set up ULA (fd00:d:e:f:: ) in my network and set in dnsmasq config file to advertise my pi's static IP as DNS servers. I added the ULA to the bridge interface using an ip command inside the firewall script, a carryover from dd-wrt which worked great.
Problem is no matter what I change, the router's ULA (fd00:d:e:f::1) still got advertised as a DNS server along with the pi (192.168.0.8, fd00:d:e:f::8). So blocking isn't fully working. Is there a way to remove it? Or is there a better way to implement ULA with Merlin firmware?

Thanks in advance.
 
Last edited:

i0ntempest

Occasional Visitor
dnsmasq.conf
Code:
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq

no-negcache
cache-size=1500
min-port=4096
domain=i0ntempest.home
expand-hosts
bogus-priv
domain-needed
local=/i0ntempest.home/
dhcp-range=lan,192.168.0.2,192.168.0.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.0.1
dhcp-option=lan,6,192.168.0.8
dhcp-option=lan,15,i0ntempest.home
dhcp-option=lan,44,192.168.0.1
dhcp-option=lan,252,"\n"
ra-param=br0,10,600
enable-ra
quiet-ra
dhcp-range=lan,::,constructor:br0,ra-stateless,64,600

dhcp-option=lan,option6:24,i0ntempest.home
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0,86400s
dhcp-option=br2,3,192.168.102.1
trust-anchor=[seems like some hash so removed]
dnssec
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1280

# Custom config in jffs
dhcp-rapid-commit
strict-order
dhcp-range=set:ula6,fd00:d:e:f::1,fd00:d:e:f::ffff,64,1440m
dhcp-host=DC:A6:32:07:61:55,set:DC:A6:32:07:61:55,192.168.0.8,[fd00:d:e:f::8]
dhcp-option=lan,option6:23,[fd00:d:e:f::8]
conf-file=/jffs/configs/rfc6761.conf

# Control DNS-SD PTR query loop while using pihole
address=/_dns-sd._udp.i0ntempest.home/
address=/_dns-sd._udp.0.0.168.192.in-addr.arpa/
 

dave14305

Part of the Furniture
dnsmasq would be the only thing on the router to send RA announcements.

If you setup tcpdump and capture RAs you can see the source IP of the RA that contains the router. Pi-Hole will enable IPv6 RAs if that option is enabled in the Pi-Hole GUI, and it prefers ULAs over GLAs.

Code:
tcpdump -i br0 -n -vv icmp6 and 'ip6[40] = 134'
Look for rdnss option (25) in the output.
 

i0ntempest

Occasional Visitor
Code:
          rdnss option (25), length 24 (3):  lifetime 600s, addr: fd00:d:e:f::8
            0x0000:  0000 0000 0258 fd00 000d 000e 000f 0000
            0x0010:  0000 0000 0008
Looks like it's only advertising fd00:d:e:f::8. Must be something else?
 

dave14305

Part of the Furniture
Code:
          rdnss option (25), length 24 (3):  lifetime 600s, addr: fd00:d:e:f::8
            0x0000:  0000 0000 0258 fd00 000d 000e 000f 0000
            0x0010:  0000 0000 0008
Looks like it's only advertising fd00:d:e:f::8. Must be something else?
Run the same tcpdump on the Raspberry Pi, replacing br0 with eth0. See if any other advertisements are seen.
 

i0ntempest

Occasional Visitor
I have had it running on my pi for some minutes grepping rdnss and I can only see fd00:d:e:f::8. One detail I observed on my Mac is that if I monitor DNS settings while plugging in the cable, fd00:d:e:f::1 appears after the other two pi's addresses with a gap of 1 to 2 seconds.
The file is me running the command on my mac, grepping fd00:d:e:f::1 when plugging in the cable. Most of them are just DNS requests but just in case...
 

Attachments

  • a.txt
    26.4 KB · Views: 39

dave14305

Part of the Furniture
Maybe look for DHCPv6 packets on the MAC? Running out of ideas.
Code:
tcpdump -i en6 -n -vv udp and port 547
 

i0ntempest

Occasional Visitor
This is what I get:
Code:
15:04:32.049855 IP6 (flowlabel 0x10c00, hlim 1, next-header UDP (17) payload length: 90) fe80::1cd4:a4cb:91c3:aea.546 > ff02::1:2.547: [bad udp cksum 0x5c3f -> 0xa72d!] dhcp6 confirm (xid=d1fa62 (client-ID hwaddr/time type 1 time 686812581 f01898ee25f8) (option-request DNS-server DNS-search-list opt_103) (elapsed-time 0) (IA_NA IAID:0 T1:0 T2:0 (IA_ADDR fd00:d:e:f::34fb pltime:0 vltime:0)))
15:04:32.051231 IP6 (class 0xc0, hlim 64, next-header UDP (17) payload length: 77) fe80::f22f:74ff:fe93:8598.547 > fe80::1cd4:a4cb:91c3:aea.546: [udp sum ok] dhcp6 reply (xid=d1fa62 (client-ID hwaddr/time type 1 time 686812581 f01898ee25f8) (server-ID hwaddr type 1 0a8261938e8b) (status-code Success))
Doesn't seem to have anything interesting...
 

dave14305

Part of the Furniture
This is what I get:
Code:
15:04:32.049855 IP6 (flowlabel 0x10c00, hlim 1, next-header UDP (17) payload length: 90) fe80::1cd4:a4cb:91c3:aea.546 > ff02::1:2.547: [bad udp cksum 0x5c3f -> 0xa72d!] dhcp6 confirm (xid=d1fa62 (client-ID hwaddr/time type 1 time 686812581 f01898ee25f8) (option-request DNS-server DNS-search-list opt_103) (elapsed-time 0) (IA_NA IAID:0 T1:0 T2:0 (IA_ADDR fd00:d:e:f::34fb pltime:0 vltime:0)))
15:04:32.051231 IP6 (class 0xc0, hlim 64, next-header UDP (17) payload length: 77) fe80::f22f:74ff:fe93:8598.547 > fe80::1cd4:a4cb:91c3:aea.546: [udp sum ok] dhcp6 reply (xid=d1fa62 (client-ID hwaddr/time type 1 time 686812581 f01898ee25f8) (server-ID hwaddr type 1 0a8261938e8b) (status-code Success))
Doesn't seem to have anything interesting...
What machine has LLA fe80::f22f:74ff:fe93:8598? It's responding to DHCPv6 requests, so maybe it's part of the problem.
 

dave14305

Part of the Furniture
What if you add an extra line to your dnsmasq.conf?
Code:
dhcp-option=ula6,option6:23,[fd00:d:e:f::8]
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top