I am connecting my OpenWrt router to my ISP router. In my LuCI I have disabled every possible IPv6 property. However, browserleaks.com shows me that my router is still having IPv6 DNS.
Worth to mention that:
~# traceroute6 openwrt.org
traceroute6: can't connect to remote host: Network unreachable
How can I stop it? (except for calling the ISP)
thank you
You cannot totally disable IPv6 as it is baked into the kernel nowadays but you can switch off some things by doing the following:
uci set 'network.lan.ipv6=0'
uci set 'network.wan.ipv6=0'
uci set 'dhcp.lan.dhcpv6=disabled'
# Disable RA and DHCPv6 so no IPv6 IPs are handed out
uci -q delete dhcp.lan.dhcpv6
uci -q delete dhcp.lan.ra
# Disable the LAN delegation
uci set network.lan.delegate="0"
# Delete the IPv6 ULA Prefix
uci -q delete network.globals.ula_prefix
# Disable odhcpd
/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop
# Save changes
uci commit
/etc/init.d/network restart
Optional, you can disable local address assignment via sysctl.conf
net.ipv6.conf.default.disable_ipv6 =1
net.ipv6.conf.all.disable_ipv6 =1
net.ipv6.conf.lo.disable_ipv6 = 0
loopback left with ipv6 just in case some daemon program needs to be additionally re-configured to disable ip6 sockets.
See: https://3os.org/infrastructure/openwrt/disable-ipv6/
But why would you disable it, better learn to deal with it as it is here to stay.
Thank you for your response & for trying to help; However it seems like I still have IPv6 on my browserleaks report:
screenshot removed
But why would you disable it, better learn to deal with it as it is here to stay.
If I don't disable it, I'll have DNS leaks when using Cyberghost's VPN:
Turn OFF IPv6
At the moment CyberGhost VPN does not support IPv6, therefore sometimes users can experience issues with connection or leaks that are related specifically to IPv6.
To disable IPv6 support on your Debian device, please visit How to disable IPv6 for Linux
I did disabled IPv6 on all of my devices (including the OpenWrt router itself) as they required but it seems like HOT NET is forcing IPv6 on me
Worth to mention that it's extremely difficult to make HOT NET stop forcing IPv6 on me because I live in a student dormitories and I am not their direct client (their client is the university)
If your router has no IPv6 address and routes.... How would you get a "leak"?
And why do you even want to disable IPv6 in 2025?
And no. The other side can't force anything. If you have no IPv6 on wan and no routes and nothing then no you have no IPv6 connectivity.
So how can you explain that I still have IPv6 DNS on browserleaks?
also, I am connecting my OpenWrt to my ISP router
About why I want to disable it - I have answered in my previous comment
Maybe you start with explaining how does it detect and define a "leak".
Just because you got v6 addresses as DNS answer does not mean there is any "leak".
And just because your ISP offers a V6 nameserver does also not conclude there is any "leak".
you can just go to network ā interfaces ā devices ā [choose the device you want no ipv6 on] ā set ipv6 to disabled for that device
Iām not sure it matters if that test shows some ipv6 resolves if the upstream port just blocks all ipv6 anyway
I think that the best way to define a leak would be to show a screenshot of what happens when I connect to Cyberghost VPN:
screenshot removed
And what you see is happening when I am having IPv6 disabled on all of my devices, including OpenWrt.
I'm not sure how I can rephrase my intended message....
If you have no global IPv6 address and routes neither on your router nor on your client device ... How would you use IPv6 in the first place?
The only thing this screenshot shows is that your provider offers a V6 nameserver and maybe your client got it assign automatically.
But if you have no v6 address you can not use this nameserver. And if a ipv4 or IPv6 nameserver answers your queries with a V6 address you CAN NOT connect to it because you still have no IPv6.
But still. Why do people thing it is a good idea to disable IPv6?
Edit ps. Please provide a link to that twat page it is not clear what and how they test...
As I said I am connecting my OpenWrt to my ISP router and the ISP router is using IPv6 without me being able to disable it through their web UI (I need to contact the cs to shut it off and that's impossible in my case)
I don't mind to have IPv6 enabled but as I said Cyberghost does not support IPv6. they require me to turn it off.
I'm not the one to blame in this case. The problem is the ISP and Cyberghost and each side makes my life harder.
How is your OpenWRT router connected to the ISP router?
Is your OpenWRT router connected with its wan to the ISP router and on a different subnet?
Perhaps better show your configs:
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:
ubus call system board
ifstatus wan6
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
Oh and an ISP does not force anything it offers e.g. IPv6 (if you are lucky)
But a decent VPN provider can work with both IPv4 and IPv6. If not for WireGuard just route IPv6 via the tunnel (which in effect blocks IPv6)
I'll send you all that information in private message asap.
Worth to mention that Cyberghost support Wireguard only through their CLI / GUI so in this method of commands and configuration files, they only support OpenVPN, thus Wireguard is not an option for me 
Thank you
The reason to check for DNS leaks is to verify that you aren't using the DNS servers of your ISP, when you use a VPN. The IP addresses you see on the page are the DNS resolvers which directly connected to some DNS server they use in their leak detection.
Most people don't run their own recursive DNS server that would show up on the DNS leak page but forward their DNS requests to externals servers such as the ISP's servers.
Are you sure you see your own IPv6 address, and not the IPv6 address of your ISP's DNS server?
Incorrect network configurations or faulty VPN/proxy software can lead to your device sending DNS requests directly to your ISP's server, potentially enabling ISPs or other third parties to monitor your online activity.
I will try with a different VPN provider and will update my thread later
I see their DNS IPv6 server, alongside cyberghost's
Probably because you configured to use those DNS servers 
You cannot actually use the IPv6 DNS server because you do not have working IPv6 ( I checked your config).
But better not use the ISP DNS servers, Interfaces > wan > Advanced settings
Hi, Thank you!
I prefer not to use cloudflare (I hate them)
I'll try my VPN configuration again and let you know what's up
An unusual solution:
Since I can't tell my ISP what to do, I contacted CyberGhost, and they failed to help (that's the simplest way to describe their "help").
So I tried Mullvad and now there's no DNS leak.
Though I don't have to, I'll do a reset-factory to the router to re-enable IPv6 (Mullvad supports IPv6).
The solution is: If you're in Israel, avoid HOT NET. if you can't avoid HOT NET, do not, under any circumstances, waste your money on CyberGhost.
Mullvad with Wireguard - Easy to configure, supports OpenWrt and IPv6. the best solution.
I wonder how the DNS leak tests works.
If I were tasked with designing DNS leak test I would do this:
I would let client do DNS queries to some randomized hostnames ({random}.myzone.tld) that are in a DNS zone that I own authoritative DNS servers for. Then I would log IPs of DNS queries to these randomized hostnames. The random part would serve to match individual tests.
If this is how it works then whether you see IPv6 in the list is utterly irrelevant.
You probably did in fact disable the IPv6. You are probably doing no DNS queries to any IPv6 address as the IPv6 is unreachable for you. I don't believe ISP can really force IPv6 on you. (With the exception of IPv6-only networks where you tunnel IPv4 via NAT64, and even then you still can disable it, you would just lost all the connection.)
You see IPv6 because some recursive DNS servers are doing these queries over IPv6 not your PC directly.
I tried DNS leak with IPv6 disabled and seen both IPv4 and IPv6 of my DNS provider of choice it the table. Conversely when I disabled IPv4 again I have seen both IP families in the list.
IMHO
@egc I agreed that is might be good to change these in router. Still, properly configured VPN on desktop should override it. For instance, on my OpenWrt router I run unbound forwarding via DoT to CF revolvers. But when I turn on my VPN on my Linux laptop it forces my local resolver (systemd-resolved) to forward to the VPN's DNS servers, irrespective of router settings.
resolvectl
ā®
Link 65 (tun0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute LLMNR=resolve +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.2.32.1
DNS Servers: 10.11.5.19 10.2.32.1
DNS Domain: ~.
Default Route: yes
That tilda dot part forces all queries to be run via the VPN. tun0 is my VPN iface.
EDIT:
addendum:
@shagiss I wonder did you install VPN on your desktop/laptop? Was it on Linux? Do you use NetworkManager and systemd-resolved?
If so what is the output of resolvectl when VPN is connected?
What is your configuration for the VPN in /etc/NetworkManager/system-connections?
Did the config contain something like:
[ipv4]
dns-priority=-1
dns-search=~.;
?
EDIT2:
Or in case of systemd wg-quick, did you have line like PostUp = resolvectl domain %i ~. in the config?