What's new

Unbound Ipv6 Set-up

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

John DeLuca

Regular Contributor
Hello, I was wondering what I had to to do get unbound to work with Ipv6, right now It seems like only Ipv4 is functioning correctly. I was looking in the advanced unbound config and tried to turn on integration IPV6: do-ip6: yes and reboot but it still seems like the v6 is not working correctly. I am verifying if unbound is working by checking https://ipleak.net/ my ipv4 and ipv4dns match but my ipv6 and ipv6 dns do not match.

Any help would be much appreciated.

I am using the latest version of both merlin and unbound on a GT-AX11000
 
Hello, I was wondering what I had to to do get unbound to work with Ipv6, right now It seems like only Ipv4 is functioning correctly. I was looking in the advanced unbound config and tried to turn on integration IPV6: do-ip6: yes and reboot but it still seems like the v6 is not working correctly. I am verifying if unbound is working by checking https://ipleak.net/ my ipv4 and ipv4dns match but my ipv6 and ipv6 dns do not match.

Any help would be much appreciated.

I am using the latest version of both merlin and unbound on a GT-AX11000
If you see your ISP DNS (or some public DNS) that wouldn't necessarily mean the Unbound is not working for IPv6, but more likely that Unbound is not used for IPv6 (it is not the one getting the requests). You will need to make sure that your IPv6 DNS announced to clients is pointing to the router IPv6. I'm guessing this option should be available somewhere in the IPv6 section of the GUI.

With the 386.7 firmware @RMerlin introduces IPv6 DNSFilter, which intercepts all DNS requests from clients and redirects them to router and dnsmasq. Make sure DNSFilter is turned on and set to router.
 
Ok, and I assume the address i put into there is my LAN IPv6 Address correct? That is the equipment of putting in192.168.1.1 as my DNS but for v6. DNS filter was turned on but did not have a V6 address in. Ill check around for IPv6 DNS settings as well.
 
Something interesting I was just looking through my IPv6 settings and realized my WAN IPv6 Address matches my IPv6 DNS address on that test but does not match the IPv6 address of the test. Odd it says that address is in NH while I am in NY. Is there another way to test Unbound? Also in general cached DNS requests (once the data is cached) will be faster than any public DNS correct? That honestly is the main reason I am using unbound.
 
Something interesting I was just looking through my IPv6 settings and realized my WAN IPv6 Address matches my IPv6 DNS address on that test but does not match the IPv6 address of the test. Odd it says that address is in NH while I am in NY. Is there another way to test Unbound? Also in general cached DNS requests (once the data is cached) will be faster than any public DNS correct? That honestly is the main reason I am using unbound.
I'm not sure I understand if you still have a problem or not.

The router itself are not using Unbound (typically) so any test you are running, do it on a lan client.

Unbound should remove dns servers from dnsmasq and put in itself there, make sure this is the only one in the used config:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# cat /etc/dnsmasq.conf | grep server
server=127.0.0.1#53535

My dns filter is Enabled and set to router, no rules added and dns 1,2,3 is empty. That should be it, check dnsfilter for ipv6:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT 21153 packets, 8044K bytes)
 pkts bytes target     prot opt in     out     source               destination
  546 46244 DNSFILTER  udp      br+    *       ::/0                 ::/0
            udp dpt:53
    0     0 DNSFILTER  tcp      br+    *       ::/0                 ::/0
            tcp dpt:53
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL DNSFILTER -t nat
Chain DNSFILTER (2 references)
 pkts bytes target     prot opt in     out     source               destination
  546 46244 DNAT       all      *      *       ::/0                 ::/0
            to:aaff:a37f:fa75:1::1
admin@RT-AC86U-D7D8:/tmp/home/root#
but instead of my aaff:a37f:fa75:1::1 should be your br0 ip address.
This should redirect all queries on port 53 (dns) to dnsmasq which does its own query to Unbound locally.
 
Last edited:
I'm not sure I understand if you still have a problem or not.

The router itself are not using Unbound (typically) so any test you are running, do it on a lan client.

Unbound should remove dns servers from dnsmasq and put in itself there, make sure this is the only one in the used config:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# cat /etc/dnsmasq.conf | grep server
server=127.0.0.1#53535

My dns filter is Enabled and set to router, no rules added and dns 1,2,3 is empty. That should be it, check dnsfilter for ipv6:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT 21153 packets, 8044K bytes)
pkts bytes target     prot opt in     out     source               destination
  546 46244 DNSFILTER  udp      br+    *       ::/0                 ::/0
            udp dpt:53
    0     0 DNSFILTER  tcp      br+    *       ::/0                 ::/0
            tcp dpt:53
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL DNSFILTER -t nat
Chain DNSFILTER (2 references)
pkts bytes target     prot opt in     out     source               destination
  546 46244 DNAT       all      *      *       ::/0                 ::/0
            to:aaff:a37f:fa75:1::1
admin@RT-AC86U-D7D8:/tmp/home/root#
but instead of my aaff:a37f:fa75:1::1 should be your br0 ip address.
This should redirect all queries on port 53 (dns) to dnsmasq which does its own query to Unbound locally.

I just checked all of that and it all looks good I guess it all is working, after all, I just find it odd that this doesn't match up. I assumed it must have to be matching to be working, I am in NY maybe it's just getting the location wrong because I do see that second address as my WAN IPV6. If that is true should it be in NY. Are there multiple separate addresses in IPV6 unlike IPV4?
 

Attachments

  • Screenshot 2022-07-05 133828.png
    Screenshot 2022-07-05 133828.png
    98.9 KB · Views: 103
I am in NY maybe it's just getting the location wrong because I do see that second address as my WAN IPV6. If that is true should it be in NY. Are there multiple separate addresses in IPV6 unlike IPV4?
Maybee your ISP using some tunneling service or their exit point is somehow different between ipv4 and ipv6. I have no idea how these localization services work, guess the ISP is responsible to report where your IP belongs. but for DNS... who knows?? guess the localization may not be based on what the isp states but may be the point of origin where your ISP is connected to the main-line...
One difference could be that your only have a single ipv4 but a whole bunch of ipv6. Naturally the client data will have the clients ipv6 address but for dns it will be router ipv6 so slight change on device suffix but as long as its your prefix: its cooming from your network.

but the important thing is that this is not your problem... some internet service gets location wrong, its their problem... Enjoy Unbound!

ooh, I missed these:

Also in general cached DNS requests (once the data is cached) will be faster than any public DNS correct?
well, yes.... but dnsmasq is caching it's lookup to... it is controlled by cache-size and --min-cache-ttl (seconds) in dnsmasq.conf... altough unbound sets cache-size to 0 to make sure all requests are forwarded to Unbound. so if this is the only reason for using Unbound, why not explore dnsmasq features?? perhaps it already does what your are after??

Is there another way to test Unbound?
sure... there are lots of ways... perhaps the most straightforward one is to use tcpdump, which could be installed on your router and log all packages going in and out...
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top