OpenWrt as DNS Provider and IPv6 Annoyances

TCB13 · November 26, 2022, 8:15pm

Hello,

I'm using OpenWrt on a small ARM SBC (similar to the Rpi) to work as my IPv4 DHCP and DNS server (with SmartDNS etc). In my network I still keep the ISP's router as the gateway and the OpenWrt device only does DHCP/DNS:

dhcp.lan.dhcp_option='6,172.20.1.1' '3,172.20.1.254' '121,172.20.3.0/24,172.20.1.1'

OpenWrt is 172.20.1.1 and the router ISP is 172.20.1.254. This setup works really well with IPv4. With the options above I can tell computers connected to the network who's the gateway, the DNS server and push an extra route.

Now with IPv6 my ISP does SLAAC and they don't provide any way to disable it. This means devices on the network get a public IPv6 but also get the ISP's router as an IPv6 DNS server via router advertisements.

Since modern operating systems always prefer IPv6 macOS for instance totally ignores the OpenWrt IPv4 DNS server and goes straight to the ISP's router:

macos-netpanel-dnsipv6

EliteMac:~ tcb13$ dig google.com
;; ANSWER SECTION:
google.com.		208	IN	A	172.217.17.14

;; Query time: 3 msec
;; SERVER: 2001:8a-----00::1#53(2001:8a-----00::1)
;; WHEN: Sat Nov 26 20:06:06 WET 2022
;; MSG SIZE  rcvd: 55

This totally defeats and bypasses my OpenWrt DNS.

Now, I've tried to play around with IPv6's Router Advertisements with the idea that I could eventually be able to tell my devices that there's another DNS server. For this I added this to OpenWrt:

root@openwrt:~# uci show dhcp.lan
(...)
dhcp.lan.ra='server'
dhcp.lan.dns='fe80::1:---:---:a2'
dhcp.lan.ra_default='2'
dhcp.lan.ra_maxinterval='20'
dhcp.lan.ra_mininterval='10'
dhcp.lan.domain='lan'
dhcp.lan.ra_preference='high'

With Wireshark I can see those RA's broadcasted:

// ip.version == 6 && icmpv6.type == 134
Frame 53090: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface en0, id 0
Ethernet II, Src: MS-NLB-PhysServer-xx_xx:xx:00:a2 (xx:xx:xx:xx:00:a2), Dst: IPv6mcast_01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::1:---:---:a2, Dst: ff02::1
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x4911 [correct]
    [Checksum Status: Good]
    Cur hop limit: 64
    **Flags: 0x48, Other configuration, Prf (Default Router Preference): High**
    Router lifetime (s): 0
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Source link-layer address : xx:xx:xx:xx:00:a2)
    ICMPv6 Option (MTU : 1500)
    **ICMPv6 Option (Recursive DNS Server fe80::1:---:---:a2)**
    ICMPv6 Option (DNS Search List Option lan)
    ICMPv6 Option (Advertisement Interval : 20000)

As you can see the OpenWrt SBC is advertising itself fe80::1:---:---:a2 as a DNS server with high priority but macOS doesn't seem to do anything with those RAs. It keeps the only the IPv6 DNS server from the ISP router RAs.

Is this something to expect "by design" in IPv6 or a macOS bug?
Is there any other way around it (that doesn't mean manually configuring each device)?

Thank you.

dave14305 · November 26, 2022, 8:30pm

The lifetime of the RA is 0, so I imagine most clients will ignore it. ra_lifetime should default to 1800, but I’m not sure how it behaves with odhcpd running on a device not doing the routing.

TCB13 · November 26, 2022, 9:56pm

@dave14305 ,

Okay that's interesting, I tried to set ra_lifetime to 1800 but it seems to still advertise as zero:

root@router:~# uci show dhcp.lan.ra_lifetime
dhcp.lan.ra_lifetime='1800'

Under Wireshark:

Router lifetime (s): 0

Any ideas?

About the "not doing the router", I've noticed that it works fine under Windows. Windows correctly pushes the advertised DNS server to the list, but macOS ignores it.

Thank you.

lleachii · November 27, 2022, 3:28am

You could downstream you IPv4 (yes you can use the additional Public IPs) - then you could fix you LAN6 issue in the same manner (hopefully the ISP issues a Prefix Delegation on their DHCPv6).

TCB13 · November 27, 2022, 12:51pm

I'm sure you'll help me understand your suggestion better,

What do you mean by "downstream"? If you're suggesting a classic "ISP bridge", having a public IPv4 and a IPv6 prefix assigned directly to OpenWrt that works of course, but I don't want OpenWrt doing the routing in this setup. I just want it acting as a DHCP/DNS server.

Or do you mean any other setup I'm unaware of?

Thank you.

Pico · November 27, 2022, 1:39pm

have you really disabled DHCP4 on the ISP router? or are both yours and the ISP router DHCP service active at the same time and both DPHCs reacting to client broadcast. And the ISP DHCP service is maybe not answering correctly, because its address space is effectively depleted with this .254 trickery IP config? (leading to your DHCP4 to win)

TCB13 · November 27, 2022, 3:27pm

Yes I've disabled the DHCP4 server on the ISP router. It is set to a static LAN IP 172.20.1.254. The OpenWrt SBC is the only DHCP server on the network.

As I said before, IPv4 is fine, the problem is with IPv6 because devices get IPs from the ISP router via SLAAC and they also get an advertised IPv6 DNS server.

What I'm attempting to do it somehow announce OpenWrt as the preferred IPv6 DNS server.

Pico · November 27, 2022, 7:49pm

Maybe take a look at ipv6 relay, if it looks like something that may be of help: IPv6 Configuration (relay single /64 prefix), as you have 3 separate options to enable.

TCB13 · February 3, 2023, 11:49pm

This is most likely a bug in odhcpd: https://github.com/openwrt/odhcpd/issues/133

TCB13 · March 1, 2023, 11:39am

This situation was indeed a bug reported and now fixed.

The following config allows me to use the ISP router that does IPv6 PD / SLAAC. In short my OpenWRT box will provide DHCPv4 + dual stack DNS while the ISP router advertises the IPv6 prefix and acts as gateway for both IPv4 and IPv6

OpenWrt is 172.20.1.1 + fe80:1c0:5208::1, and the ISP router is 172.20.1.254. Note that you also need to setup Dnsmasq or SmartDNS to bind to both 172.20.1.1 and fe80:1c0:5208::1.

# cat /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option start '10'
        option limit '100'
        option ra_preference 'high'
        list dhcp_option '6,172.20.1.1'
        list dhcp_option '3,172.20.1.254'
        option ra_useleasetime '1'
        option ra 'server'
        option ra_default '2'
        option ra_maxinterval '600'
        option ra_mininterval '200'
        option ra_lifetime '1800'
        option dhcpv6 'server'

# cat /etc/config/network

config globals 'globals'
        option ula_prefix 'fe80:01c0:5208::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        list ipaddr '172.20.1.1/24'
        option gateway '172.20.1.254'
        option broadcast '172.20.1.255'
        option ip6assign '64'
        option delegate '0'

owrtontefaces

With option ra_preference 'high' devices in the network will set their IPv6 DNS server to fe80:1c0:5208::1 (my OpenWRT box) instead of what the ISP router advertises that has a lower priority. For IPv4 the the DNS server is set by list dhcp_option '6,172.20.1.1'.

mk24 · March 1, 2023, 4:50pm

ULA addresses start with fc or fd. fe80:1c0:5208::1 is an improper link-local address. Link local prefix is fe80::/64, all bits between fe80 and the last 64 should be 0.

DNS services for a LAN are often advertised and provided on a router's link-local IP.

TCB13 · March 1, 2023, 5:12pm

What's the problem with using a link-local address as DNS server as long as it sits on the same network? For now the OpenWrt device isn't configured to have any public / GUAs or ULA address.

Even dnsmasq provides options to advertise a link-local:

IPv6 addresses in options must be bracketed with square brackets, eg. --dhcp-option=option6:ntp-server,[1234::56] For IPv6, [::] means "the global address of the machine running dnsmasq", whilst [fd00::] is replaced with the ULA, if it exists, and [fe80::] with the link-local address.
Source: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

Local link-local address can be used for everything in theory. Even as default gateway / next-hop router and in some cases even further: https://www.rfc-editor.org/rfc/rfc7404.html

Frankly I'm tired of people going through the thread without properly reading what I was trying to accomplish and what restrictions are in place.

system · March 11, 2023, 5:13pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.