Hi,
I reset my R7800 to factory defaults and I'm setting it back up. I have a pihole for DNS with blocking and firewall rules that stop IPv4 DNS from leaving the network for everything apart it. This works (as well as I can understand) as I can telnet to google DNS without the rules but not with them.
My issue seems to be that my test machine (Win10) can access the internet with its IPv4 DNS set to something non-valid. I've traced that I have an IPv6 DNS in the list which appears to be the router. It looks to be using that to resolve DNS and bypassing the pihole. I can test this by disabling IPv6 on the windows host and it stops working. The IPv6 address also tallies with the routers address (although this is just my best understanding).
I don't need IPv6 internally and, before the reset, I think i found a few lines to disable it on the router but I'd like to know if this expected and if there is a better way to stop it?
thanks
I think I've disabled ddns and dnsmasq in the settings but it still seems to be resolving.
I still see these in the logs too:
possible DNS-rebind attack detected
Aug 20 14:30:21 ROUTER dnsmasq[3160]: possible DNS-rebind attack detected: telemetry.dropbox.com
Which makes me think it is still running?
and also this:
Aug 20 14:55:36 ROUTER dnsmasq[3168]: using only locally-known addresses for domain bind
Aug 20 14:55:36 ROUTER dnsmasq[3168]: using nameserver 10.0.0.111#53
Aug 20 14:55:36 ROUTER dnsmasq[3168]: using only locally-known addresses for domain lan
Aug 20 14:55:36 ROUTER dnsmasq[3168]: using nameserver 10.0.0.111#53 <--- PiHole
Aug 20 14:55:36 ROUTER dnsmasq[3168]: using nameserver 194.178.77.100#53 <---- ISP DNS
Aug 20 14:55:36 ROUTER dnsmasq[3168]: using nameserver 194.177.77.100#53 <---- ISP DNS
Aug 20 14:55:36 ROUTER dnsmasq[3168]: read /etc/hosts - 4 addresses
Aug 20 14:55:36 ROUTER dnsmasq[3168]: read /tmp/hosts/odhcpd - 0 addresses
Aug 20 14:55:36 ROUTER dnsmasq[3168]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses
Ok, someone tell me if I've done something stupid but...
By turning off these (not sure if one or both did it), I have stopped sending out IPv6 DNS option.
Use DNS servers advertised by peer - this was on the WAN interfaces (did both).
Use builtin IPv6-management - this was on the lan interface
Typically you should advertise the Pihole as an IPv6 server too.
Or redirect the dns queries to the Pihole.
Least optimal solution is to restrict the dns on ipv4 address only.
You may not want to disable dnsmasq, as it serves local dns and the dhcp. ddns is not connected to your problem.
This means it will not use the DNS of your ISP to resolve.
This could have more side effects.
Are you using IPv6 in general?
Thank you for replying.
Certainly not using it internally by any choice I've made.
The only pihole setting I could find was "Enable IPv6 support (SLAAC + RA)" which, to be fair, is fairly obvious!
I had that enabled and still saw the same problem though. I found the IPv6 address showing in the "ipconfig /all" to match those of the router so figured it was overriding somehow?
I have DHCP and DNS from the pihole so don't need the openwrt one to run. Is it ok to disable the service if that is the case?
Making the changes I tried above seems to have worked so far, just not sure what I may have broken though.
cheers
Disable DNS and/or DHCP roles or disable dnsmasq completely:
/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop
Thank you, that looks like a good solution.
Cheers
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.