DNS/TLS IPv6.

[Analog-1]

Is this still valid in 2024 ? Is there any security issues with this method and how does it work.


IMPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab. Link-local address starts with fe80.

 

[NoLight]

I was running this setup with Quad9 until recently and it worked well. I disabled IPv6 because my ISP uses a slow 6RD tunnel.

 

[bbunge]

Is this still valid in 2024 ? Is there any security issues with this method and how does it work.


IMPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab. Link-local address starts with fe80.

Well, you still need to set the IPV4 and IPV6 DNS resolvers in their respective locations then set up DoT. I recommend alternating IPV4 DoT resolvers with corresponding IPV6 DoT resolvers. So you will end up with four entries in DoT and your queries will, alternate between all four in turn.

 

[archiel]

Is this still valid in 2024 ? Is there any security issues with this method and how does it work.


IMPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab. Link-local address starts with fe80.

I had not come across this, so I tried it and IPv6 seem to work the same as when using external (OpenDNS) IPv6 DNS servers. Given that all client (rather than router) DNS lookups go though Unbound (scripts used are in my signature) I don't see if or why this might my improve(worsen) my setup, or how I could test it.

 

[NoLight]

I was testing this last night. I removed the DNS settings from both the WAN and IPv6 page. Then setup to force DoT in strict mode. It still works and is actually much more fast and stable then it was before.

 

[eastavin]

Hmm. Would appreciate any advice on this topic.

1) I have been running DNS over TLS with strict and enabling preset servers on the WAN internet server tab. also prevent auto DoH-YES. My provider only offers IPv4. Is there any way to test this? A few years back people said to look in the system logs for port 853 entries but I dont see those any more like I used to... but then I have switched routers to the rt-ax86u.

2) Recently I decided to implement the Tunnelbroker IPV6in4. Further to the note from user Analog-1 above I have added on the IPV6 page the LAN IPv6 Link-Local Address in the IPv6 DNS setting box as I prefer the DNS over TLS restriction keep working. What would constitute a useful test of whether this is working?

3) As a last addition: I have a preference to deny one client on my lan the use of IPv6. My logic is then to use DNS Director on the LAN page. There I set the mac of the client in the client list and specify a redirection to a cloudflare family dns. However I am left puzzling as to what to do with the higher up setting called Global Redirection? Does it get set to No Redirection or Router as I wish to maintain the DNS over TLS that I have setup up previously in 1 and 2? Or maybe this will not work at all as I am misunderstanding networking or precedence?

Thanks for any advice. If 3 is not likely to work then I can live without it or invert my approach and use family dns for everything instead of just protected.

Thanks Edward

 

[Analog-1]

I use router mode for DNS director. This is suppose to force all clients to the DNS servers you have set vis the router.

 

[eastavin]

It just dawned on me as I have admin control of the 1 pc in question on the LAN- I can just disable IPV6 connectivity in the adapter hardware properties settings and be done with my issue in (3) Life is too short for complicated settings.

Also came across this page Merlin may have written. I had not thought of adjusting the LAN prefix and length option until I read this. https://github.com/RMerl/asuswrt-merlin.ng/wiki/IPv6-tunnelling Very helpful.

 

[SkippyP]

Well, you still need to set the IPV4 and IPV6 DNS resolvers in their respective locations then set up DoT.

Are you sure? I thought the DoT table overrides whatever you have set in the IPv4 and IPv6 DNS fields?

I have my IPv4 and IPv6 DNS fields set to “automatically obtain from ISP” and I have Cloudflare DoT configured in the DoT table (IPv4 and IPv6 addresses) in “strict” mode. All DNS tests confirm that my resolver is Cloudflare (and only Cloudflare), and Cloudflare’s security test confirms I’m using DoT.

 

[Analog-1]

have my IPv4 and IPv6 DNS fields set to “automatically obtain from ISP” and Cloudflare DoT configured in the DoT table (both IPv4 and IPv6). All DNS tests confirm that my resolver is Cloudflare, and Cloudflare’s security test confirms I’m using DoT.

Sounds logical. What i posted awhile ago was what i read on Merlin's website about DOT and Ipv6. He has never commented on this so i guess there is really know way to know what's correct or not.


( MPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab. Link-local address starts with fe80. )

 

[bluepoint]

Sounds logical. What i posted awhile ago was what i read on Merlin's website about DOT and Ipv6. He has never commented on this so i guess there is really know way to know what's correct or not.


( MPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab. Link-local address starts with fe80. )

Once you set strict DOT and DNS director globally to router, it overrides all DNS settings.

 

[Analog-1]

Once you set strict DOT and DNS director globally to router, it overrides all DNS settings.

Does it ? For IPv4 i am sure it does. It's not clear if it does for Ipv6 as Merlin will not ever respond to this question. Another person told me Merlin did not even right this information yet it's on his website. It would be nice to put this subject to bed. But again crickets. Just my 2C.

 

[SkippyP]

Once you set strict DOT and DNS director globally to router, it overrides all DNS settings.

Exactly what I thought, and that’s been my experience. Thanks.

 

[SkippyP]

Does it ? For IPv4 i am sure it does. It's not clear if it does for Ipv6 as Merlin will not ever respond to this question. Another person told me Merlin did not even right this information yet it's on his website. It would be nice to put this subject to bed. But again crickets. Just my 2C.

Yes it does. This is exactly how it works for me as I’ve stated before.

 

[bbunge]

Once you set strict DOT and DNS director globally to router, it overrides all DNS settings.

DNS Director has nothing to do with the DNS settings in WAN or IPV6. It simply redirects all errant client DNS queries to the router.
DoT Strict or Opportunistic settings govern the way Stubby validates or doesn't validate DoT traffic. Strict is the preferred setting. Opportunistic may help with connection issues.
With DoT enabled, that takes over the router IPV4 and IPV6 settings. However, the WAN and IPV6 settings are still required to set the system time in boot.

 

[bluepoint]

DNS Director has nothing to do with the DNS settings in WAN or IPV6. It simply redirects all errant client DNS queries to the router.
DoT Strict or Opportunistic settings govern the way Stubby validates or doesn't validate DoT traffic. Strict is the preferred setting. Opportunistic may help with connection issues.
With DoT enabled, that takes over the router IPV4 and IPV6 settings. However, the WAN and IPV6 settings are still required to set the system time in boot.

I emphasize DNS director globally to router because in this section you can exclude clients redirected to other DNS servers hence, you don't control through the router's DOT settings.

For WAN and IPv6 DNS settings, true it's use by the router as the initial server at boot until DOT takes over. These are two settings you can just leave it in default( use ISP) if your intention is to use DOT. And to make it less input, most if not all DNS servers are now dual stack, meaning you can just input an IPv4 or IPv6 DNS address and it can resolve both for dual stack system.

 

[SomeWhereOverTheRainBow]

Is this still valid in 2024 ? Is there any security issues with this method and how does it work.


IMPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab. Link-local address starts with fe80.

What about for devices that have no LAN DNS6 address advertised to them. Most clients these days should fallback to sending the ipv6 via ipv4 in the presence of a dual stack environment. It is the beauty of having a true dual stack network setup. When no dns address is advertised over ipv6, the traffic can be sent over ipv4 dns exchange. As long as the router has IPV6 on the outbound, it can respond in either an ipv4 or ipv6 way. Right now I have my routers DHCP server issuing both an ipv4 and ipv6 address to each client on my network, I pass 10/10 using this site https://test-ipv6.com/ -meanwhile the DHCP server is setup to only advertise the routers ipv4 address for DNS, I have removed its advertisement of the routers ipv6 address for dns. Essentially I have it not handing out any ipv6 dns server to clients.

 

[Tech9]

It is the beauty of having a true dual stack network setup.

It's beautiful indeed.

I pass 0/10 using this site https://test-ipv6.com/ and we see the same Internet. We both pass, no?

 

[SomeWhereOverTheRainBow]

I pass 0/10 using this site https://test-ipv6.com/ and we see the same Internet. We both pass, no?

That's what one would expect with ipv6 turned off and non-functional. I think where a lot of people mess up when using ipv6 is they think there is a lot of extra steps needed to have it work in a way you or I would expect it to. In fact, it is the exact opposite. Instead it turns into one more setting that people "over-complicate"; so I completely understand your desire to leave it turned off.