Need help forwarding IPv6 DNS request from specific host to different server

bender1 · August 8, 2020, 11:39pm

Hi, I have Archer C7 v2 running OpenWrt 19.07.3 r11063-85e04e9f46. I have static IPv4 DHCP for clients so I can forward specific host to a different DNS server. I am running multiple instance of stubby on my router, default instance is with parental control and other stubby instance is less restricted DNS. I am using iptables (IPv4) to forward DNS request from specific host to less restricted DNS server and this works as expected.

But IPv6 DNS requests are going to default parental controlled DNS server. I searched but couldn't figure out how to assign static IPv6 DHCP for clients so I can do the same setup as IPv4 or do a different setup so I can forward DNS request from specific IPv6 clients to less restricted DNS instance. Any help is appreciated.

vgaetera · August 9, 2020, 9:23am

You can clone the IPv4 NAT table to IPv6 NAT table to intercept both DNS and DNSv6 queries:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#nat6
It should work if your services listen on the same ports in dual-stack mode.

mikma · August 9, 2020, 11:15am

You can configure those ipv6 addresses on the openwrt router unless you need to connect to them for other reasons than dns, (Assign them as /128 to an interface using alias @loopback.)

bender1 · August 9, 2020, 9:11pm

Sure, I can add add intercept rules for IPv6 but how would I do that only for specific host as IPv6 keeps changing for the client and I do not want to redirect all clients. Sorry, am I missing something here?

bender1 · August 9, 2020, 9:13pm

Could you please provide an example of the configuration as I am not sure I follow what to configure on OpenWRT router?

vgaetera · August 9, 2020, 9:22pm

There'a also an alternative approach, which should work without redirects:

Set up DHCP tags with different dhcp_options.
Make each DNS instance to listen on a specific interface.
Allow DNS queries outside of the interface subnet.

bender1 · August 10, 2020, 12:34am

Thanks @vgaetera, redirect with mac could work, I will give that a try.

Also, curious on the alternative approach as that might be easier to setup. Could you please share some configuration or links to the configuration on that approach?

vgaetera · August 10, 2020, 4:23am

Actually, the alternative approach can be implemented in 2 different ways:

mikma · August 10, 2020, 10:02am

This way:

uci set network.googledns=interface
uci set network.googledns.proto=static
uci set network.googledns.ifname=@loopback
uci add_list network.googledns.ip6addr=2001:4860:4860::8888/128
uci add_list network.googledns.ip6addr=2001:4860:4860::8844/128
uci add_list network.googledns.ipaddr=8.8.8.8/32
uci add_list network.googledns.ipaddr=8.8.4.4/32
uci commit network
ifup googledns

treysis · August 13, 2020, 7:48am

What type of clients are we talking about? Wired? Wireless? Both?

I think the IPv6-way works like this:
-Use one prefix for restricted and another prefix for unrestricted
-setup two wifi networks, one for each prefix

The only problem I see with this is that multicast isn't passed between subnets. You'd need a multicast proxy...and I am not sure how well this works if you e.g. want to use e.g. DLNA/media streaming between the two prefixes.

EDIT: disregard that. Using ip6tables rules to match MAC addresses is - in your setup - the better and easier way.