Pi-Hole, FritzBox, and IPv6

it is the year 2019 and IPv6 still “almost works” – Today’s exhibit: The Pi-Hole

Long story short: Pi-Hole needs a couple checkboxes and command line options to properly do IPv6. Also most home routers still suck when it comes to IPv6.

I am also stubborn enough to identify and engineer ways around the issues that arise. Especially with an ISP like XS4ALL this just has to work.

The pi-hole is a nice project based on a raspberry Pi that adds a DNS resolver/cache combined with an ad-blocker in your network. That way you don’t need to use dubious browser plugins plus it also works for all mobile devices and appliances in your network.

Personally I even find it speeds up browsing as many requests are served from cache a lot better than from your typical home router. Also you can chose different DNS resolvers like OpenDNS and friends, which are not subjected to patriot act and/or corporate censorship. But more about that later.

The pi-hole does assign a IPv6 address and reacts to DNS requests on that address but now the fun begins. Every SoHo router has a way to assign static IP addresses or create static DHCP entries by mac address. IPv4 addresses… But try doing that in IPv6 and you will learn quickly that there is a difference between “works with IPv6” and “does IPv6 just like IPv4”

Also things like “global address” meaning the address should just be routed, not NAT-ted (typcial IPv4 home router has one IPv4 address that is used with PAT/overloading) – IPv6 should make that redundant. but its difficult to “draw the line” between net and host there. (also people seem to not understand that opening a port on a firewall is just as secure as hiding that host behind NAT/PAT. In fact, it should even be easier but hey..

so long story short: (needs more screenshots)

it used Google’s DNS as a forward target.

difference from default setup:
– IPv6 forwarding is enabled (settings > DNS)
– /etc/pihole/setupVars.conf needed editing > IPv6 address was changed after reboot
– I also edited /etc/pihole/pihole-FTL.conf, and added AAAA_QUERY_ANALYSIS=yes
– I restarted pihole-FTL with: systemctl restart pihole-FTL

check in the Fritz Box under advanced > network > IPv6 addresses and set up the new IPv6 address as advertised DNSv6 server (confirm with phone)

do the same for ipv4 (instead of itself, the box should advertise the pi-hole as DNS server/cache/resolver)

somehow I think I should use one of my remote machines to monitor availability for IPv4 and IPv6 – I don’t trust this setup just yet but I also need to read a lot on how IPv6 is “supposed” to be done (static seems weird. SLAAC seems a workaround. Three has to be a better way)