Decrypt IPv6 in adblock logs

Hi

i have been wondering for some time how to find out which device is behind the respective IPv6 address in the luci interface of "adblock" under "DNS report".

Unfortunately, the option "resolve IPs" only works for me with IPv4 addresses.
So I only see the IPs without host names that I can't do anything with.

for example.

on the overview page I can see that my laptop has leased "fd32:5555:c3fc::c7c/128". (DHCPv6)

But I can't do anything with that in the log because it's not there.

If I look in the command line in windows, I get the exact IPv6 displayed, which is also in the log of adblock. so in my case "fd32:5555:c3fc:0:f06d:dca9:8c33:be1b".

Can I also find this out in the luci interface so that I know which device the DNS requests are coming from?

I would venture that your laptop has IPv6 privacy options enabled, so it prefers to use its SLAAC addresses over the DHCP ones. Since dnsmasq doesn't record information from neighbor discovery, all of these SLAAC addresses remain unassociated with a hostname.

Here's one way to figure out where that address originates. Dump the ipv6 neighbor table, find the line containing that ULA, grab its corresponding MAC and look for that in the DHCP leases (made-up MACs and hostname, but using your ULA from above):

$ ip -6 neigh show dev br-lan | grep fd32:5555:c3fc:0:f06d:dca9:8c33:be1b
fd32:5555:c3fc:0:f06d:dca9:8c33:be1b lladdr 12:34:56:bf:a4:e1 used 0/0/0 probes 1 STALE

$ grep 12:34:56:bf:a4:e1 /tmp/dhcp.leases
1711567378 12:34:56:bf:a4:e1 10.1.1.184 my-laptop 01:12:34:56:bf:a4:e1

If the ip neigh show fails to list the host, you might try pinging it first, to make sure the neighbor table is up-to-date.

3 Likes

Indeed my Windows 11 Laptop uses a temporary IPv6 address.

With those 2 commands I'm now able to figure out from which device the requests are send.

Thank you efahl :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.