Prevent external dynamic IPv6 from being returned by local dns

yonizaf · February 23, 2024, 12:19pm

The problem:
My ISP gives out dynamic IPv6 prefixes, i.e they change every time I reset the connection.

My openwrt router is set to give out DHCPv6 addresses out of the ISP prefix, and add these entries to local DNS.

after a disconnect and reconnect to ISP happens, the local (stateful?) address does not match the prefix anymore, and connection between local devices is interrupted (could randomly work or not, depending if the device try to use IPv4, IPv6 ULA or external).

What I want to happen:
I want to the middle address in the example below to (starting with 2a10:)to disappear.

c:\> nslookup pc1.lan
Server:  OpenWrt.lan
Address:  fd27:aaaa:ffff::1

Name:    pc1.lan
Addresses:  fd27:aaaa:ffff::c7c
          2a10:bbbb:c:dddd::c7c
          192.168.0.130

I don't know what's the best approach, if just making it so the address doesn't get added to DNS records, or if DHCPv6 shouldn't give out external stateful addresses at all, or if there's a way to force all clients to renew every time the prefix changes, or something else altogether.

I do want, however, to keep using stateful ULA adddresses, as well as RA/SLAAC from the external prefix.

Any help/advice would be appreciated.

_bernd · February 23, 2024, 1:09pm

Tricky...

AFAIK dnsmasq has no option to exclude certain answers, only to remove AAAA at all[1], but that's not an option.

In general, there is RFC 3484 - Default Address Selection for Internet Protocol version 6 (IPv6)[2] which can be made use of on Linux systems via /etc/gai.conf but it seams that Windows doesn't offer the same granular options (prefer ULA over GUA)[3].

/*
I agree that dynamic customer prefixes suck, but sadly most ISP do not offer to choose between stable and dynamic prefixes.
*/

I would be interested in a solution, too....

[1] https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

--filter-AAAA
    Remove AAAA records from answers. No IPv6 addresses will be returned.

[2] https://www.ietf.org/rfc/rfc3484
[3] https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

_bernd · February 23, 2024, 1:16pm

Mhm I maybe was to quick and wrong...

~~I can not point you a resource in english because for some reason I only get german results from google, lol?~~

Edit: https://old.reddit.com/r/ipv6/comments/coei3n/fix_for_windows_10_preferring_ipv4_over_ipv6/

>netsh interface ipv6 show prefixpolicies
Querying active state...

Precedence  Label  Prefix
----------  -----  --------------------------------
        50      0  ::1/128
        40      1  ::/0
        35      4  ::ffff:0:0/96
        30      2  2002::/16
         5      5  2001::/32
         3     13  fc00::/7
         1     11  fec0::/10
         1     12  3ffe::/16
         1      3  ::/96

# Prefer ULA higher then IPv4
>netsh interface ipv6 set prefixpolicy fc00::/7 36 13

Again, I can not confim nor test these, as I'm not using Windows....

elbertmai · February 25, 2024, 11:28am

The way OpenWrt works now looks like this:

dnsmasq
- Provides DHCPv4 and DNS services.
- DNS caches upstream responses and replies to queries for local hosts.
odhcp
- Provides DHCPv6 and RA services.
- Updates dnsmasq so it can answer AAAA queries for local hosts.

The way odhcp updates dnsmasq is by invoking the "lease trigger" script. This is configurable in /etc/config/dhcp:

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

The only thing /usr/sbin/odhcpd-update does is send SIGHUP to dnsmasq. But we can make this script do more stuff, like filter GUA addresses from the lease file so dnsmasq never sees those addresses.

So here's a possible solution:

Change the odhcpd section in /etc/config/dhcp as follows:

option leasefile '/tmp/dhcpv6.leases'
option leasetrigger '/root/filter-gua-leases'

Write /root/filter-gua-leases script and make executable with chmod +x:
```
#!/bin/sh
. /lib/functions/procd.sh
grep '^fd' /tmp/dhcpv6.leases > /tmp/hosts/odhcpd
procd_send_signal dnsmasq
```
This keeps only the ULA addresses, which always starts with fd.
Restart odhcpd or reboot your router. You shouldn't need to restart dnsmasq since it will be signaled by the lease trigger script.

I've just tried this with one of my routers and it appears to work as intended. No warranties implied, of course.

yonizaf · February 25, 2024, 8:06pm

I tried your solution, and it seems to work.

Restarting services didn't seem to do the job, though, had to reboot the router.

I will keep testing if this solves my problem. If all is well I will mark your post as a Solution in a day or two.

elbertmai · February 26, 2024, 4:42pm

I forgot to mention I also restarted the network interfaces of the clients as well. The lease database in odhcpd is RAM-only and will be lost across restarts, so dnsmasq will not resolve DHCP names until those clients renew.

system · March 7, 2024, 4:43pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.