Ipv6 dns in relay mode

Sid · March 4, 2024, 9:35pm

My ISP assigns me a /64 prefix for ipv6 so I’m forced to use ipv6 relay mode, if I disable peer dns and use custom dns for wan and wan6, I’m still seeing isp dns in dnsleaktest.

I realised it is my dhcp assigned dns for v6 that’s causing these issues. So I tried changing them by doing

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        list dns ‘2606:4700:4700::1112’

But this disables IPv6 all together on my router.

How can I solve this?

elbertmai · March 4, 2024, 9:52pm

You can run an IPv6 network with just a /64 prefix without requiring relay mode. Are you planning to run multiple networks? This is a legitimate use case, but I just want to keep things clear.

If you genuinely need a smaller prefix, first see if you can configure your router to just ask the ISP for it. Put the router back to its default configuration and try:

Go to LuCI → Network → Interfaces → Edit WAN6.
Ensure "Request IPv6-address" is set to "try".
Change "Request IPv6-prefix of length" to "56".
Restart the WAN6 interface.

If this doesn't work, try again with prefix set to 60.

mk24 · March 4, 2024, 10:04pm

Specifying a custom dns server belongs in the wan(6) block in /etc/config/network and nowhere else. Also if the ISP DNS is suspect you'd want to set peerdns 0 in that wan section so that the ISP's DHCP advertised DNS server is not installed into the list.

elbertmai · March 4, 2024, 10:15pm

So the ISP doesn't delegate any IPv6 prefixes? You're all on a switched network? Although I've heard this is how it's sometimes done in virtual private servers, I've never seen this for ISP deployments.

Can you put your router back into its default configuration and connect it to your ISP as normal? Give it a few minutes and take a look at the LuCI homepage. OpenWrt has had working IPv6 support for years now, so it should pick up any delegated prefixes.

If the ISP is delegating you a prefix, you should see "Prefix Delegated" in addition to "Address" in the "IPv6 Upstream" box. Can you check this for us?

AndrewZ · March 4, 2024, 10:18pm

Regarding your DNS issue: please install bind-dig and run
dig +short CHAOS TXT id.server @1.1.1.1

Then the same with IPv6 address.

Sid · March 4, 2024, 10:29pm

This is the result

root@Main-Router:~# dig +short CHAOS TXT id.server @1.1.1.1
"BOM"
root@Main-Router:~# dig +short CHAOS TXT id.server @2606:4700:4700::1111
"BOM"

AndrewZ · March 4, 2024, 10:31pm

It would be nice to clarify what is in place here:
ISP really gives your OpenWrt router a single /64 prefix
OR
ISP assigns something to your ONT that in turn gives OpenWrt router a single /64 prefix

AndrewZ · March 4, 2024, 10:37pm

Then I have reasons to believe that the requests were answered by the local Cloudflare servers ("Bombay").
Check with logread | grep nameserver if you have any other server mentioned.

Sid · March 4, 2024, 10:38pm

Yeah, sorry should have mentioned it earlier I’m connected to my ISP ONT from LAN to WAN in a double NAT as there’s no bridge mode option.

This ONT is heavily locked so bridge, dmz, static routes all options are dead for me, unfortunately.

elbertmai · March 4, 2024, 10:40pm

Looks like that's indeed the case, your ISP doesn't delegate any IPv6 prefixes.

You need to set the WAN6 interface as the "master" interface for relaying to work.

Go to LuCI → Network → Interfaces → Edit WAN6 → "DHCP Server" tab
Click "Set up DHCP Server" then go to "IPv6 Settings" tab
Select "Designated master" check box
Select "relay mode" for "RA-Service", "DHCPv6-Service", and "NDP-Proxy".
Click "Save" and "Save & Apply".

Then do the same for the LAN interface, except do not select the "Designated master" checkbox.

AndrewZ · March 4, 2024, 10:41pm

Sorry, but a more accurate description would be:
your ONT acting as a router cannot delegate any IPv6 prefixes

elbertmai · March 4, 2024, 10:43pm

If this is the case with this ISP then the difference is moot. If the ONT can be put into bridge mode then of course I would recommend this course of action, but if what @Sid said is true then there are effectively no IPv6 prefixes that can be used here.

Sid · March 4, 2024, 10:46pm

Yes, that is what I have to do to get IPv6 to work plus I also need to enable relay mode for all three services in lan interface too.

Sid · March 4, 2024, 10:49pm

This is what I see with logread

Tue Mar  5 03:55:37 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Tue Mar  5 03:55:37 2024 daemon.info dnsmasq[1]: using nameserver 2606:4700:4700::1112#53

When I run dnsleaktest I see CF servers as expected, but also ISP dns servers.

Does this mean they’re hijacking dns?

AndrewZ · March 4, 2024, 10:53pm

That was my guess. If this is the case you can try using encrypted DNS communication. But first check if your PC that was used for test does (not) have another server configured.
My personal choice is DNS-over-TLS using stubby.

elbertmai · March 4, 2024, 10:56pm

I concur with @AndrewZ, you may need to set up DNS-over-TLS as already suggested:

https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby

or alternatively setup DNS-over-HTTPS:

https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy

Sid · March 4, 2024, 11:01pm

Thanks for helping @AndrewZ and @elbertmai

system · March 14, 2024, 11:04pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.