search

pi-hole / pi-hole

A black hole for Internet advertisements
https://pi-hole.net
Other
49.21k stars 2.7k forks source link

IPV6 support results in two advertised DNS servers (they are the same, duplicated) #4950

Closed Sassafras76 closed 2 years ago

Sassafras76 commented 2 years ago

Versions

Current Pi-hole version is v5.12.2 Current AdminLTE version is v5.15.1 Current FTL version is v5.18.1

Platform

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

Expected behavior

when I enable IPV6 support, I expect the pi.hole IPV6 Global address to be published

Actual behavior / bug

in windows, I see the DNS server twice

Steps to reproduce

Steps to reproduce the behavior:

  1. Go to Settings, DHCP, enable Enable IPv6 support (SLAAC + RA). Save
  2. Go to router (mikrotik) , disable ND to allow the pi.hole to send RA messages
  3. start windows pc
  4. type ipconfig /all and you see three DNS servers, IPV6 global, IPV4 DNS, a second IPV6 global, repeat of the first

Debug Token

[- URL: ] https://tricorder.pi-hole.net/sb90sipQ/

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

dschaper commented 2 years ago

Might not be related but check your warnings on the web interface. There is a conflict with the .222 address, you might have set a static lease for the Pi-hole server on the Pi-hole server that already has the address assigned.

dschaper commented 2 years ago

Also double check the IPv6 support box. You don't have the lines in your /etc/dnsmasq.d/02-pihole-dhcp.conf file to enable RA.

Your file:

-rw-r--r-- 1 root root 488 Sep 29 12:03 /etc/dnsmasq.d/02-pihole-dhcp.conf
   dhcp-authoritative
   dhcp-range=10.0.0.2,10.0.0.61,infinite
   dhcp-option=option:router,10.0.0.1
   dhcp-leasefile=/etc/pihole/dhcp.leases
   domain=lan
   local=/lan/

What you should see:

root@69ab2749d980:/etc/dnsmasq.d# cat 02-pihole-dhcp.conf  
###############################################################################
#  DHCP SERVER CONFIG FILE AUTOMATICALLY POPULATED BY PI-HOLE WEB INTERFACE.  #
#            ANY CHANGES MADE TO THIS FILE WILL BE LOST ON CHANGE             #
###############################################################################
dhcp-authoritative
dhcp-range=192.168.88.201,192.168.88.251,24h
dhcp-option=option:router,192.168.88.2
dhcp-leasefile=/etc/pihole/dhcp.leases
#quiet-dhcp

domain=lan
#quiet-dhcp6
#enable-ra
dhcp-option=option6:dns-server,[::]
dhcp-range=::,constructor:br0,ra-names,ra-stateless,64

Edit: Side note, infinite leases are a rather bad idea.

Sassafras76 commented 2 years ago

I was able to do it now and this is what is appended to the file when IPV6 is enabled:

domain=lan local=/lan/

quiet-dhcp6

enable-ra

dhcp-option=option6:dns-server,[::] dhcp-range=::,constructor:eth0,ra-names,ra-stateless,64

Sassafras76 commented 2 years ago

Might not be related but check your warnings on the web interface. There is a conflict with the .222 address, you might have set a static lease for the Pi-hole server on the Pi-hole server that already has the address assigned.

will do that now - thank you.

dschaper commented 2 years ago

I was able to do it now and this is what is appended to the file when IPV6 is enabled:

Did that do anything to the client's DNS assignments? Are you able to run a packet sniffer on the client to see what the actual RA payload is and where it is coming from? I wonder if the MKTK is announcing as well.

Sassafras76 commented 2 years ago

ease for the Pi-hole server on the Pi-hole server that already has the address assigned

still see it, I will kick off Wireshark and see what is being advertised.

Sassafras76 commented 2 years ago

i can see the RA in the packet capture and ipconfig shows two DNS servers.

DNS Servers . . . . . . . . . . . : 2607:fea8:34dd:e672:764c:d994:2a73:3405 10.0.0.222 2607:fea8:34dd:e672:764c:d994:2a73:3405

image

image

dschaper commented 2 years ago

Is 2c:c8 the MKTK router? What is in that payload?

dschaper commented 2 years ago

@DL6ER I don't see anything odd here yet but can you take a look when you have a chance?

Sassafras76 commented 2 years ago

Is 2c:c8 the MKTK router? What is in that payload?

yes the mac 2c is the mikrotik

here is the packet

pihole.zip

Frame 1: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface \Device\NPF_{D471608B-8051-4120-9E86-316FED14144E}, id 0
    Interface id: 0 (\Device\NPF_{D471608B-8051-4120-9E86-316FED14144E})
        Interface name: \Device\NPF_{D471608B-8051-4120-9E86-316FED14144E}
        Interface description: Ethernet 2
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep 29, 2022 16:34:41.263239000 Eastern Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1664483681.263239000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 142 bytes (1136 bits)
    Capture Length: 142 bytes (1136 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ipv6:icmpv6]
    [Coloring Rule Name: ICMP]
    [Coloring Rule String: icmp || icmpv6]
Ethernet II, Src: Raspberr_68:0f:34 (dc:a6:32:68:0f:34), Dst: IPv6mcast_01 (33:33:00:00:00:01)
    Destination: IPv6mcast_01 (33:33:00:00:00:01)
        Address: IPv6mcast_01 (33:33:00:00:00:01)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: Raspberr_68:0f:34 (dc:a6:32:68:0f:34)
        Address: Raspberr_68:0f:34 (dc:a6:32:68:0f:34)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::5128:5863:dd57:8a90, Dst: ff02::1
    0110 .... = Version: 6
    .... 1100 0000 .... .... .... .... .... = Traffic Class: 0xc0 (DSCP: CS6, ECN: Not-ECT)
    .... 1110 0101 0101 0010 1011 = Flow Label: 0xe552b
    Payload Length: 88
    Next Header: ICMPv6 (58)
    Hop Limit: 255
    Source Address: fe80::5128:5863:dd57:8a90
    Destination Address: ff02::1
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x6dce [correct]
    [Checksum Status: Good]
    Cur hop limit: 64
    Flags: 0x40, Other configuration, Prf (Default Router Preference): Medium
        0... .... = Managed address configuration: Not set
        .1.. .... = Other configuration: Set
        ..0. .... = Home Agent: Not set
        ...0 0... = Prf (Default Router Preference): Medium (0)
        .... .0.. = Proxy: Not set
        .... ..0. = Reserved: 0
    Router lifetime (s): 1800
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Prefix information : 2607:fea8:34dd:e672::/64)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 64
        Flag: 0xc0, On-link flag(L), Autonomous address-configuration flag(A)
            1... .... = On-link flag(L): Set
            .1.. .... = Autonomous address-configuration flag(A): Set
            ..0. .... = Router address flag(R): Not set
            ...0 0000 = Reserved: 0
        Valid Lifetime: 2591819
        Preferred Lifetime: 604619
        Reserved
        Prefix: 2607:fea8:34dd:e672::
    ICMPv6 Option (MTU : 1500)
        Type: MTU (5)
        Length: 1 (8 bytes)
        Reserved
        MTU: 1500
    ICMPv6 Option (Source link-layer address : dc:a6:32:68:0f:34)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: Raspberr_68:0f:34 (dc:a6:32:68:0f:34)
    ICMPv6 Option (Recursive DNS Server 2607:fea8:34dd:e672:764c:d994:2a73:3405)
        Type: Recursive DNS Server (25)
        Length: 3 (24 bytes)
        Reserved
        Lifetime: 604619
        Recursive DNS Servers: 2607:fea8:34dd:e672:764c:d994:2a73:3405
Sassafras76 commented 2 years ago

@DL6ER I don't see anything odd here yet but can you take a look when you have a chance?

googles found this: https://learn.microsoft.com/en-us/answers/questions/458646/ipconfig-all-lists-the-same-ipv6-dns-servers-twice.html

could be windows executing both stateful and stateless DNS queries and finding the same server

Windows however, ignores the management "m bit" and gets both SLAAC and stateful addresses (as well as its privacy extension ones). It might be that it is listing the DNS servers twice, one for the SLAAC and one for the stateful. I will have to see what happens if I turn off DHCP server altogether.

Sassafras76 commented 2 years ago

@DL6ER I don't see anything odd here yet but can you take a look when you have a chance?

googles found this: https://learn.microsoft.com/en-us/answers/questions/458646/ipconfig-all-lists-the-same-ipv6-dns-servers-twice.html

could be windows executing both stateful and stateless DNS queries and finding the same server

Windows however, ignores the management "m bit" and gets both SLAAC and stateful addresses (as well as its privacy extension ones). It might be that it is listing the DNS servers twice, one for the SLAAC and one for the stateful. I will have to see what happens if I turn off DHCP server altogether.

what interesting is with just the Mikrotik alone services RA, it a single DNS server, but when I add pihole's RA (and tell Mikrotik not to advertise DNS) I get the two DNS servers.

interesting

Sassafras76 commented 2 years ago

Issue appears to be with Windows and not pihole ipv6 implementation

dschaper commented 2 years ago

Thank you for following up and letting us know!