What's new

Asuswrt-Merlin Serving IPV6 Router IP Instead of IPV6 DNS Server IP F/W 384.19

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Does the DNS filter in router mode direct all DNS, including IPv6 and DoH to the DNS server LAN DHCP setting.
Does the Custom DNS 1 in DNS Filter over ride the DNS Server specified in the LAN DHCP setting?

Is there anywhere i can view all of the LAN IPv6 hosts? I've tried using stateless and staeful but i cant find a table like the hosts file of the all of the IPv6 hosts, it would be great if these could be looked up from pihole in the same way IPv4 can using conditional fwding. Not a huge deal though.
You can setup conditional forwarding for your pi-hole. it will work if you have stateful addressing setup.

on your raspberry pi
Code:
cd /etc/dnsmasq.d
Make up something like
Code:
nano 08-addnforwarding.conf
insert into the file,
Code:
server=/1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.0.0.0.2.5.4.0.8.2.2.0.1.0.6.2.ip6.arpa/2601:228:452:6::1  # this is just an example Lan ipv6 address.
server=/Some-Lan/2601:228:452:6::1 #this is an example of the domain forwarding from the router. 
#obviously you need to replace this with the correct domain and ipv6 lan address and you need to properly #change the numbers in the server .arpa arguement.

You get the ipv6 address from the ipv6 address on your system log tab --> tab ipv6 tab.
it is called the lan ipv6 address, don't worry you do not need the /64 at the end.

On my ipv6 settings page on the router, i chose to leave it set to stateless.
I added a line to my dnsmasq.postconf script inside jffs.
here is what the script looks like
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[ipv6 address of the RPI Goes here]" $CONFIG
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
 
You can setup conditional forwarding for your pi-hole. it will work if you have stateful addressing setup.

on your raspberry pi
Code:
cd /etc/dnsmasq.d
Make up something like
Code:
nano 08-addnforwarding.conf
insert into the file,
Code:
server=/1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.0.0.0.2.5.4.0.8.2.2.0.1.0.6.2.ip6.arpa/2601:228:452:6::1  # this is just an example Lan ipv6 address.
server=/Some-Lan/2601:228:452:6::1 #this is an example of the domain forwarding from the router.
#obviously you need to replace this with the correct domain and ipv6 lan address and you need to properly #change the numbers in the server .arpa arguement.

You get the ipv6 address from the ipv6 address on your system log tab --> tab ipv6 tab.
it is called the lan ipv6 address, don't worry you do not need the /64 at the end.

On my ipv6 settings page on the router, i chose to leave it set to stateless.
I added a line to my dnsmasq.postconf script inside jffs.
here is what the script looks like
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[ipv6 address of the RPI Goes here]" $CONFIG
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG
If you choose to go this router you will need to restart the router, and restart the pihole for changes to take effect. (for it to start populating your clients addresses and names for devices for ipv6). Note- not all devices will have a device name for their ipv6 addresses.
 
Thank you very much that worked quite nicely. I can see the hosts in RPI by name, and both ipv4 and v6 traffic against them. Nice and neat. I used stateless in my router too. But i figured i would have to use stateful and the hosts would be tabled somewhere...where is this being stored/read from, does the RA cache these somewhere?

So i guess with IPv6 i have to live with anything hard coded hitting the router directly and it wont be filtered off to the RPI?
 
Thank you very much that worked quite nicely. I can see the hosts in RPI by name, and both ipv4 and v6 traffic against them. Nice and neat. I used stateless in my router too. But i figured i would have to use stateful and the hosts would be tabled somewhere...where is this being stored/read from, does the RA cache these somewhere?

So i guess with IPv6 i have to live with anything hard coded hitting the router directly and it wont be filtered off to the RPI?
sounds about right. In the dnsmasq.postconf script example i posted, it enables a way for devices to recieve a stateful address if they are capable, some devices only use stateless. ( my smartphone for example). Also, the option adds for ipv6 to look for device names from the corresponding ivp4 address associated with the same client.
 
I decided to flush all logs and restart so i had a clean view. I restarted the router (AX88, 384.19) But now i can see the Host/IPv4 entry and it has A and AAAA dns lookups, but i can also see a Host/IPv6 entry only for some devices and many devices listed as unknown in the router that previously had hostnames.
 
I decided to flush all logs and restart so i had a clean view. I restarted the router (AX88, 384.19) But now i can see the Host/IPv4 entry and it has A and AAAA dns lookups, but i can also see a Host/IPv6 entry only for some devices and many devices listed as unknown in the router that previously had hostnames.
it takes abit to repopulate erased information.
 
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[ipv6 address of the RPI Goes here]" $CONFIG
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG

Could you modify this script for two pis?
 
hi all.
I think I have the same problem.
Using Asus RT-AX88U as DHCP and Pihole as a DNS with Unbound as a recursive server (not using DoH/DoT).

IPv4 works well with the latest Merlin FW, but the router bypasses my DNS and publish its own IP.

See my post here: https://www.snbforums.com/threads/router-is-overwriting-my-preferred-ipv6-dns-address.70991/

1615300345393.png


my /etc/dhcpcd.conf has the following in it:

Code:
interface eth0
        static ip_address=192.168.1.2/24
        static ip6_address=2403:5800:7300:cb00:6de6:be72:631c:ccdc/64
        static routers=192.168.1.1
        static domain_name_servers=192.168.1.1 2403:5800:7300:cb00::1

Pihole is in my IPv4 static IP range.

1615300857643.png


1615300959155.png

DNSESEC is enabled via Unbound, so I don't need Pihole to manage that.

I've been working with this configuration for quite some time with success. Using Unbound 1.13.1 as a recursive server and Wireguard.

Now, I've enabled IPv6 since my ISP provided me with one.

All I'm after is that my clients will only see the IPv4 and IPv6 of Pihole as the DNS and not the IPv6 of the router (2403:5800:7300:cb00::1) as a DNS


So just to clarify, is this all that is required to get the router to stop advertising it's IPv6 address as a DNS?
Code:
#!/bin/sh
sed -i "s/dhcp-option=lan,option6:23,.*/dhcp-option=lan,option6:23,[YOUR PI-HOLE IPV6 ADDRESS]/" $1
 
hi all.
I think I have the same problem.
Using Asus RT-AX88U as DHCP and Pihole as a DNS with Unbound as a recursive server (not using DoH/DoT).

IPv4 works well with the latest Merlin FW, but the router bypasses my DNS and publish its own IP.

See my post here: https://www.snbforums.com/threads/router-is-overwriting-my-preferred-ipv6-dns-address.70991/

View attachment 31783

my /etc/dhcpcd.conf has the following in it:

Code:
interface eth0
        static ip_address=192.168.1.2/24
        static ip6_address=2403:5800:7300:cb00:6de6:be72:631c:ccdc/64
        static routers=192.168.1.1
        static domain_name_servers=192.168.1.1 2403:5800:7300:cb00::1

Pihole is in my IPv4 static IP range.

View attachment 31784

View attachment 31785
DNSESEC is enabled via Unbound, so I don't need Pihole to manage that.

I've been working with this configuration for quite some time with success. Using Unbound 1.13.1 as a recursive server and Wireguard.

Now, I've enabled IPv6 since my ISP provided me with one.

All I'm after is that my clients will only see the IPv4 and IPv6 of Pihole as the DNS and not the IPv6 of the router (2403:5800:7300:cb00::1) as a DNS


So just to clarify, is this all that is required to get the router to stop advertising it's IPv6 address as a DNS?
Code:
#!/bin/sh
sed -i "s/dhcp-option=lan,option6:23,.*/dhcp-option=lan,option6:23,[YOUR PI-HOLE IPV6 ADDRESS]/" $1
Yeah! Also would you mind sharing your unbound config? I’d love to see someone else with a similar hardware setup and DNSSEC config’d etc
 
Is there any chance some one could tell me where i am going wrong.
Trying to give the IPv6 Address of Pihole to IPV6 DHCP clients.

It works. My client gets the Ipv4 and v6 Pilhole addresses.

my jffs script is

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[MYPiHoleV6IP]" $CONFIG
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG

In dnsmasq.conf I end up with - i have

Code:
enable-ra
quiet-ra
dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite
dhcp-option=dnsf5,option6:23,[2a02:6b8::feed:bad],[2a02:6b8:0:1::feed:bad]
dhcp-option=dnsf6,option6:23,[2a02:6b8::feed:a11],[2a02:6b8:0:1::feed:a11]
dhcp-option=dnsf13,option6:23,[2620:fe::fe],[2620:fe::9]
dhcp-option=dnsf14,option6:23,[2a0d:2a00:1::2],[2a0d:2a00:2::2]
dhcp-option=dnsf15,option6:23,[2a0d:2a00:1::1],[2a0d:2a00:2::1]
dhcp-option=dnsf16,option6:23,[2a0d:2a00:1::],[2a0d:2a00:2::]
dhcp-option=lan,option6:23,[MyPiholV6IP]
dhcp-option=lan,option6:24,home
dhcp-authoritative

My WAN DNS Settings are.
1621057872939.png


What i am aiming for is; all my client have IPv6, all get PiHole IP via DHCP or Router Filters/Routes all DNS to either Pihole or NextDNS.

My questions are
1. Can i set my WAN DNS to NextDNS - eg just enter my own NextDNS IPs?
2. Why does this config add all other IPv6 Option 6 entires to my dnsmaq.conf - i dont know what they are, do i need to?
3. Is configuring DNS Privacy DNS over TLS to Next DNS a way of making the router do DNS Filtering, in a way, for IPv6?
 
Is there any chance some one could tell me where i am going wrong.
Trying to give the IPv6 Address of Pihole to IPV6 DHCP clients.

It works. My client gets the Ipv4 and v6 Pilhole addresses.

my jffs script is

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[MYPiHoleV6IP]" $CONFIG
sed -i 's/^\(.*ra-stateless.*\),[0-9]\+$/\1,infinite/' $CONFIG
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite" $CONFIG

In dnsmasq.conf I end up with - i have

Code:
enable-ra
quiet-ra
dhcp-range=lan,::2,::500,constructor:br0,slaac,ra-names,64,infinite
dhcp-option=dnsf5,option6:23,[2a02:6b8::feed:bad],[2a02:6b8:0:1::feed:bad]
dhcp-option=dnsf6,option6:23,[2a02:6b8::feed:a11],[2a02:6b8:0:1::feed:a11]
dhcp-option=dnsf13,option6:23,[2620:fe::fe],[2620:fe::9]
dhcp-option=dnsf14,option6:23,[2a0d:2a00:1::2],[2a0d:2a00:2::2]
dhcp-option=dnsf15,option6:23,[2a0d:2a00:1::1],[2a0d:2a00:2::1]
dhcp-option=dnsf16,option6:23,[2a0d:2a00:1::],[2a0d:2a00:2::]
dhcp-option=lan,option6:23,[MyPiholV6IP]
dhcp-option=lan,option6:24,home
dhcp-authoritative

My WAN DNS Settings are.
View attachment 33844

What i am aiming for is; all my client have IPv6, all get PiHole IP via DHCP or Router Filters/Routes all DNS to either Pihole or NextDNS.

My questions are
1. Can i set my WAN DNS to NextDNS - eg just enter my own NextDNS IPs?
2. Why does this config add all other IPv6 Option 6 entires to my dnsmaq.conf - i dont know what they are, do i need to?
3. Is configuring DNS Privacy DNS over TLS to Next DNS a way of making the router do DNS Filtering, in a way, for IPv6?
Make sure you are actually placing your lan ipv6 address inside the dnsmasq.postconf script
 
Thanks. Yep MyPhiholev6Ip is my actual IP.

I know what you're saying, i am not seeking complication. I already have pihole and Merlin DNSFilter doesn't work with IPV6 as i understand it, so this seems to be the easiest way?

My main aim is to use IPV6 and have the fastest DNS i can have with ad blocking.

What are these entries? dhcp-option=dnsf5
 
Thanks. Yep MyPhiholev6Ip is my actual IP.

I know what you're saying, i am not seeking complication. I already have pihole and Merlin DNSFilter doesn't work with IPV6 as i understand it, so this seems to be the easiest way?

My main aim is to use IPV6 and have the fastest DNS i can have with ad blocking.

What are these entries? dhcp-option=dnsf5
Those are normal , they are created by dnsfilter.
 
Also, you could be doing too much, why are you trying to use both pihole and nextdns?
Thanks for prompting me. I removed the pihole for now, if NextDNS works ongoing then great, if not i fail back to pihole.

I guess i need to explore the best cache/proxy method now - eg stubby, dnscrypt-proxy ?
 
Sorry for replying to a year old thread but is there any way to do this outside of JFFS script? The router im using does not have Merlin support but I got around some of the limitations with a script running on a RPi to execute commands over ssh on boot to (example) say set iptables rules to force only pi hole and redirect all other dns requests

unfortunately ipv6 dns is still an issue
for now I've set the pi's address in both lan and wan and ipv6 which does work, but half of the requests would look like they came from the router and not the device.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top