What's new

IPv6 and NextDNS Configuration Assistance Request

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bitmonster

Senior Member
Just discovered this amazing tool and subscribed, loving it!

I have recently moved to a new ISP that supports "native" IPv6.

I am using a Asus RT-AC86u with Merlin, and Cloudflare DNS as default resolver, with NextDNS set up as TLS resolver with IPv6 and TLS address - although the command line client seems to be handling it as the dashboard is identifying clients. I also have DNS Director set to "router" to force all DNS through the router - I have no idea how this works however my work laptop still seems to use it's own DNS though which is fine I guess.

Also running SkyNet although not yet seeing any new log entries so can't see if IPv6 is working there either.

Trying to set up NextDNS command line client up so it passes all DNS tests and works properly though. When running nextdns log I receive "Error: exit status 2" - any idea why? It was working last night but not this morning.

Otherwise status says running and my NextDNS dashboard suggests it's running fine with discovered devices (neat feature) and all encrypted although less than 10% with DNSSEC validation (is this normal?)

Majority traffic still seems to be via IPv4 though, only a minority via IPv6 and I would prefer it *all* go via IPv6.

I get a "B" rating on https://cmdns.dev.dns-oarc.net/ with all pass except for Transport -> IPv6 and RPKI IPv4 on my KUbuntu Edge and Firefox browser and Android phone. I thought I recall this having a full pass A rating the previous night before I installed the NextDNS router client. RPKI IPv6 passes though, as does all other tests.

My ISP uses IPoE - "Obtain IP automatically" and IPv6 pass-through.

https://www.dnscheck.tools/ shows only IPv4 NextDNS although that passes all DNS security tests (ECDSA P-256 ECDSA P-384 Ed25519) - DNSSEC working fine - however with a error noted at the bottom of the page that my "DNS resolvers cannot reach IPv6 name servers".

Next DNS dashboard shows only 50 of 5,000 queries last half hour as via IPv6 - 37 of which are from "Router" for periodic speed test domains. So basically everything is going via IPv4 except when I use my mobile off the home network - which then passes all tests except for RPKI IPv6 with NextDNS set as a "Private DNS" server in system settings. And when using my mobile network (WiFi off) sure enough the phone device shows up as using IPv6, and dnscheck.tools also passes all tests with IPv6 showing as enabled.

Interestingly when I now ping google.com from my KUbuntu laptop it picks up a IPv6 address, however when pinging from my *router* command line it picks up a IPv4 address. .

When I just deactivated / stopped the NextDNS client via command line, sure enough https://www.dnscheck.tools/ and https://cmdns.dev.dns-oarc.net/ returned IPv6 and a A rating. From the router command line - pinging Google.com still returns a IPv4 address, pinging ipv6.google.com returns a IPv6 address though.

So that could mean something is amiss with the DNS Resolver there - possibly the command line NextDNS client.

Can anyone think of anything I can or should change?

And now my Asus Dynamic DNS doesn't seem to be updating either so I can't use incoming VPN however I will see if it starts updating again after disabling the NextDNS router client.

Config is

cache-max-age 0s
mdns all
auto-activate false
cache-size 10MB
discovery-dns
use-hosts true
listen localhost:53
control /var/run/nextdns.sock
log-queries false
max-ttl 0s
report-client-info true
hardened-privacy false
debug false
timeout 5s
max-inflight-requests 256
setup-router true
bogus-priv true
detect-captive-portals false
profile -----

And ifconfig from the router command line shows eth0 with both IPv4 and IPv6 address.

Interestingly though SkyNet is only showing a IPv4 address in it's command line menu.

So for now I have run "nextdns uninstall" until I can work out how to get this working via IPv6 which has returned all DNS tests to fully passed
 
Last edited:
Skynet is not a firewall. It’s an IP blocker. Your router has built-in IPv4 and IPv6 firewall, enabled by default.
Thanks for the clarification. I checked my Firewall page and there was an option disabled to "Enable IPv6 Firewall", I have now enabled this.

Any/all firewalls should be enabled.
Agreed. However as per above I noticed that there was an IPv6 option disabled, now enabled. Is there a way to check the logs for this?

Disappointing though that SkyNet only supports IPv4. I imagine this is even more important with IPv6 with (I suspect) no NAT.
 
So long as you log packets that are dropped, (see the firewall page for this) you will see dropped IPv6 stuff in the system log sooner or later.
 
Disappointing though that SkyNet only supports IPv4.

Imagine community created and maintained blocklist for 340 undecillion IP addresses. I’m not sure Google can do it with their computing clusters. If you want to reduce the attack surface and have nothing to use IPv6 for - disable IPv6. Your Internet experience will remain exactly the same.
 
Imagine community created and maintained blocklist for 340 undecillion IP addresses
They are not all assigned though. So with *assigned* range IPv6 firewalls should be manageable? Or what is the risk with IPv6 no longer requiring NAT and potentially every home device being directly addressable.

Imagine community created and maintained blocklist for 340 undecillion IP addresses. I’m not sure Google can do it with their computing clusters. If you want to reduce the attack surface and have nothing to use IPv6 for - disable IPv6. Your Internet experience will remain exactly the same.
IPv4 is from 1981. IPv6 is about more than just address space. Time to just let it go.

As for NextDNS - I have disabled the router client for now as it apparently only supports IPv4 as well.
 
Last edited:
No, IPv4 won’t go any time soon. What you get is dual-stack IPv4 and IPv6 and you have to secure both the same way. On your home router you may find other things with strange behaviour when IPv6 is enabled, but explore.
 
No, IPv4 won’t go any time soon. What you get is dual-stack IPv4 and IPv6 and you have to secure both the same way. On your home router you may find other things with strange behaviour when IPv6 is enabled, but explore.
Thanks and I will look in to it. However I thought a firewall would be even more important with IPv6 as potentially everything is directly addressable.
 
I am using a Asus RT-AC86u

On this specific router model with Runner and Flow Cache active + IPv6 enabled the Syslog was filled with kernel crashes conveniently hidden by Asus in the WebUI. Run a log server and check if this is still the case. I’m in doubt they ever fixed it before EOL of the product. Also check if your QoS is still working. Careful with common IPv6 leaks with on-router VPN. The reason on-client VPN software blocks IPv6 even in 2024. Good luck.
 
However I thought a firewall would be even more important

One of Asuswrt versions had broken IPv6 firewall for about a month exposing IPv6 capable devices straight to Internet in specific configuration. The bug was discovered by SNB Forums member by accident. It was fixed later, but users had no way to know. It wasn’t listed as fixed in release notes. Whatever happened - happened. The theory about IPv6 is one thing, the reality on a home router may be different. Start with upgrading your hardware to something supported at least. Your router is EOL at Asus and Asuswrt-Merlin support is expiring.
 
One of Asuswrt versions had broken IPv6 firewall for about a month exposing IPv6 capable devices straight to Internet in specific configuration. The bug was discovered by SNB Forums member by accident. It was fixed later, but users had no way to know. It wasn’t listed as fixed in release notes. Whatever happened - happened. The theory about IPv6 is one thing, the reality on a home router may be different. Start with upgrading your hardware to something supported at least. Your router is EOL at Asus and Asuswrt-Merlin support is expiring.
Thanks and good point, I will start saving up and assume I can use the existing router as a Mesh node after I upgrade to a newer Asus model.
 
As for NextDNS - I have disabled the router client for now as it apparently only supports IPv4 as well.

I also have NextDNS with the CLI on my AC86U with native IPv6, all tests on cmdns.dev.dns-oarc.net give the success status with the A rating.
 
I also have NextDNS with the CLI on my AC86U with native IPv6, all tests on cmdns.dev.dns-oarc.net give the success status with the A rating.
Thanks for confirming that it works on the same model. Does your ISP use CGNAT by chance? It's the only other factor I can think of however I don't see why it would make a difference. After uninstalling the CLI client all tests have returned to pass and IPv6.
 
My ISP uses Dual Stack.

For browsing I use Waterfox, a Firefox fork. In about:config is a setting called "network.http.fast-fallback-to-IPv4" which I have set to false. But if it is set to true a lot of connections where IPv6 is possible are going over IPv4. To check that I use the extension IPvQ which returns the IP's that are used on the webpage.
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top