@lleachii what openwrt guide?
the problem is .. that i cant see where i can disable ipv6 on Amazon Fire HD10
let's see the text configs:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/dhcp
well, in the DHCP file, we're looking to see if there are any IPv6 related entries of the lan server. in the network file, we want to see if there is a wan6 defined.
Post them and we can probably quickly identify anything in these files that would be related to your issue.
Every IPv6 compatible interface should assign itself a link-local IP (starts with fe80). That is done locally in the device. The question of how to prevent an Amazon Fire from doing that is outside the scope of this forum.
1 Like
hello,
root@OpenWrt-main-router:~# cat /etc/config/network | grep wan
option name 'wan'
config interface 'wan'
option device 'wan'
dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option start '160'
option limit '80'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
@mk24
i can see fe80:: add and for dns
fddc:...
the problem is that while there is ipv6 address assigned to the device; i am not able to resolve my "hairpinning ips" which i defined
inside /etc/dnsmasq.conf
address=/xxxx.duckdns.org/10.0.1.104
In case ipv6 is disabled on device interface all works fine.
When the Fire looks up a name, it doesn't use your router's DNS server?
That is often by design in IoTs. They go to an external DNS that the manufacturer controls.
@mk24 it shows 3 dns ips,
ipv6 address, my router ip, and 8.8.8.8
no idea how/from where it gets ipv6 address and 8.8.8.8
But this is happening on fire hd10 2019 , on the same one but from 2017 where is no ipv6 addr - all works fine.
Well it sounds crazy - ie i cant control dns ... ;-( so assuming there is no hack for that?
You can do more to disable IPv6 in openwrt, compared to what is written in the article from 3os.org, you linked.
Impossible to build image without IPV6
maybe its really as @mk24 said DNS issue, the fire from 2017 also has ipv6 addr assigned, just cant see DNS address..its android v5
maybe with never android version they "messed up" dns - so question would be ... how to force all devices to use my own local DNS server instead of hardcoded dns's from device vendor.
@reinerotto i think i already tried that - as i had similar issue with android phone...but didnt work to me.
Strange. I do something very similar, but using "raw" iptables commands, and this works for Android, at least. "Raw" iptables cmds, because I never use the openwrt firewall, but simple iptables, which is much easier to maintain, and very well documented. Only possible in self compiled openwrt, though. The starting part is the REDIR of destination port 53 to your listening dnsmasq. Android often uses fixed 8.8.8.8 for DNS, so this will be hijacked. Because of DoH and DoT this might be not enough, but you can test this by disabling in your PCs browser. In worst case, you need to blockk the IPs of all well-known DoH and DoT servers, to force the usage of simple DNS. This is also done in the article referenced, using ipset. Reading the article, I must agree, that it should work, because I do the same, only with native iptables firewall. Only method, to circumvent, is a VPN. Or usage of a DoH-server, not (yet) in the list.
hello,
maybe article is out of date? As far as i can remember these doh/dot ips are old (when i was trying ipset)
Do you mind to share your iptables rules?
Do you mean to install my own DoH-server? Still android/amazon fire will try to find their own DoH server, i assume?
Could you elaborate on this > "Because of DoH and DoT this might be not enough, but you can test this by disabling in your PCs browser. "
No. Your router must only block the ip of the DOH-server(s), the Android/Fire uses. Which should force a fallback to simple DNS. In most Win browsers, now DoH/DoT is enabled, and used as default. But using config options, you can disable it.
The real challenge here is the completenes of the list of DoH-IPs. '1.1.1.1' for shure is not good enough 
Also, IPv6 has to be taken into consideration; to be disabled, if not really required.
Show us the first 64bit of the ipv6 address. If it's private there's nothing you can do about it.
1 Like
@ppmm it has
i can see fe80:: add and for dns
fddc:...
but i dont have device now ... and its strange ... but today it started to work properly.
Those are automatic link-local addresses. Not routable outside Lan.
IPv6 enabled devices generate them randomly if there is no DHCPv6 or RA assignment in the LAN.
fe80 is real link-local, while the fddc... is an ULA address, routable only inside your LAN. Similar as 192.168.x.x for IPv4.
fc00::/7 fc00:: fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 2121 Private internets Unique local address[34] fe80::/64 from fe80::/10 fe80:: fe80::ffff:ffff:ffff:ffff 264 Link Link-local address
- fe80::/10 — Addresses in the link-local prefix are only valid and unique on a single link (comparable to the auto-configuration addresses 169.254.0.0/16 of IPv4).
Within this prefix only one subnet is allocated (54 zero bits), yielding an effective format of fe80::/64. The least significant 64 bits were previously chosen as the interface hardware address constructed in modified EUI-64 format, but are now pseudo-random values for privacy. A link-local address is required on every IPv6-enabled interface—in other words, applications may rely on the existence of a link-local address even when there is no IPv6 routing. - fc00::/7 — Unique local addresses (ULAs) are intended for local communication[34] (comparable to IPv4 private addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16).
They are routable only within a set of cooperating sites. The block is split into two halves. The lower half of the block (fc00::/8) was intended for globally allocated prefixes, but an allocation method has yet to be defined. The upper half (fd00::/8) is used for "probabilistically unique" addresses in which the /8 prefix is combined with a 40-bit locally generated pseudorandom number to obtain a /48 private prefix. The way in which such a 40-bit number is chosen results in only a negligible chance that two sites that wish to merge or communicate with each other will use the same 40-bit number, and thus use the same /48 prefix.
1 Like