Redirect IPv6 DNS requests to local IPv4 DNS server

I've found a bunch of stuff on this (like Need help forwarding IPv6 DNS request from specific host to different server), but I can't figure out what exactly to do with the info (it's all Greek to me, sadly).

I have an external IPv4 and IPv6 address, and because of that my IPv6-capable computers have acquired IPv6 addresses. The Windows computers seem to prefer making DNS requests over IPv6, which bypasses my local DNS server that has the IPv4 address and responds on port 53 (it has no IPv6 address).

What would I need to do to have OpenWRT redirect IPv6 port 53 DNS lookups to my IPv4 local DNS server at That path seems the easiest, since making static IPv6 addresses to redirect IPv6 clients to seems to be a hassle (and another number to remember).

Also let me know if more info is needed!

Edit: Here are nslookup results:

Server:  OldDeller.lan
Address:  fdc9:af8b:d52b::1

Non-authoritative answer:
Addresses:  2607:f8b0:4006:80f::200e

Server:  pi.hole

Non-authoritative answer:
Addresses:  2607:f8b0:4006:81f::200e

I want nslookup to hit by default (Linux ones seem to do it, the DHCP server hands out as the DHCP server to use). Also, if I disable IPv6 on the Windows computers they use by default for nslookup.

I'm not sure if this will help you in your journey to configuring to network but if I were you I'd check out this video that actually takes you step by step if finding the instructions listed on Openwrt support section gets confusing.

Hope this helps and let me if it works because I just ordered my new router and plan on doing this exact thing myself so I'm curious if this method above works. Please keep me updated:)

Van Tech has great OpenWRT tutorials! But I'm not using a DNS server package for OpenWRT so it doesn't quite apply, sadly.

The firewall rules (which seemed pretty general) didn't fix it, at least. I found some other similar firewall rules in other threads and they didn't either - IPv6 is still following its own path and avoiding the local DNS server (that is provided by DHCP on OpenWRT).

You cannot simply redirect IPv6 packets to an IPv4 server, you'd need to setup a proxy for that.
What you could do:

  1. Assign IPv6 on the nameserver and advertise that to the lan hosts.
  2. Hijack/Intercept DNS packets and force them to get to your nameserver.
1 Like

What you want is both ipv4 dhcp and ipv6 dhcp option 6 setting. Thus telling your downstream clients to use your pihole.

or more specifically. The config options below. (edit) example is here

You only need ONE of the list DNS options. so pick and delete accordingly. this needs adding to your /etc/config/dhcp file

       list dhcp_option "6,"
       list dns         "::101" #if your pihole has 101 as its ipv6
       list dns         "2001:4860:4860::8888"  #or just copy and replace this with your pihole v6

An alternative to running a pihole btw is to use AdGuardHome installed on your router.

1 Like

I was able to get the OpenWRT router to stop advertising a IPv6 DNS by unchecking the box in Network->Interfaces->LAN...Edit->DHCP Server->IPv6 Settings->Uncheck "Local IPv6 DNS server"

That seems to have gotten the Windows computers to stop detecting OpenWRT as a DNS server and thus not using it. They're using the DHCP-specified DNS server as desired (and not detecting any other IPv6 servers that my ISP might provide, not sure if they just don't provide them or external DNS servers are blocked from being forwarded in).

  • I tried disabling dnsmasq in OpenWRT to stop the internal DNS server but then DHCP stopped working (I guess they're related more than I thought?) so I had to back track on that.
  • Proxmox and the DNS server both are not acquiring IPv6 addresses so I guess IPv6 isn't happening there (dunno why, don't really need to care though - until the update servers are IPv6-only I guess), which blocked out the option by @mercygroundabyss to assign a list dns "::101" option. The DNS server only had an IPv4 address. (also avoiding loading OpenWRT up with non-routing stuff, going for a "separation of duties" mindset)
  • I applied the Hijack/Intercept DNS packets suggestion by @trendy but it didn't seem to effect the IPv6 DNS requests (maybe because the router was acting as the DNS server) and for IPv4 it didn't do anything (sadly) and if I got specific (pointed to instead of leaving unspecified destination zone/internal IP address) it made the DNS requests timeout.
  • I also tried serveral combinations of the following firewall rules, but they didn't seem to do anything:
iptables -t nat -A PREROUTING -i lan ! -s -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i lan ! -s -p tcp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i lan -p udp --dport 53 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i lan -p tcp --dport 53 -j DNAT --to-destination

Thanks to all who gave suggestions - I'm sure someone else can use the easier ways (like if I had an IPv6 address for the DNS server), and the Hijack/Intercept method can be used to at least deny things using hardcoded DNSes access to the nets at least. And I didn't have to disable IPv6!

Yes they are linked.

Two options. either :

A) set a hardcoded address for the dns server and then add that address to OpenWrt as a list dns for your ipv6. Then you have working ipv4 and 6. I would go with this option.

B) Setup a DHCP reservation for BOTH ipv4 and 6 for your DNS server.

You need a DUID to assign ipv6.

adding via uci

uci add dhcp host
uci set dhcp.@host[-1].name="mylaptop"
uci set dhcp.@host[-1].dns='1'
uci add_list dhcp.@host[-1].mac="aa:bb:cc:dd:ee:ff"
uci set dhcp.@host[-1].ip=""
uci set dhcp.@host[-1].duid="000100004fd454041c6f65d26f43"
uci set dhcp.@host[-1].hostid="23"
uci commit dhcp
/etc/init.d/dnsmasq restart
/etc/init.d/odhcpd restart

entry in /etc/config/dhcp

config host
	option mac 'aa:bb:cc:dd:ee:ff'
	option name 'mylaptop'
	option dns '1'
	option ip ''
	option duid '000100004fd454041c6f65d26f43'
	option hostid '23'

Hijacking DNS will only work for IPv4. You cannot redirect IPv6 to a IPv4 server. It IS useful however to stop devices inside your lan from talking to external DNS servers and thus bypassing filtering that runs on your DNS.

There is a specific paragraph for hijacking IPv6 DNS queries.

I saw that and didn't know what it meant - it doesn't seem to mention capturing port 53 traffic, I do see the 06 broadcast but I assumed that was for local devices to figure out what the DNS servers are. Since I'm not broadcasting any IPv6 DNS servers, would that firewall rule not work?

Would that firewall rule also make IPv6 DNS queries not going to timeout? Because the DNS hijacking firewall rule for IPv4 ended in timeouts instead of a successful redirect (set on computer manually, timed out with firewall rule explicitly pointing to on port 53 and connected to if the firewall rule was made as described in the guide).

(as for setting a hardcoded IPv6 address on my DNS server, I'm leaning against that since proxmos/the DNS server don't want to figure IPv6 out on their own (like Windows computers seem to be wont to do), I'm happy to let them chill - and I'm staying away from per-device command line setup to keep this a more "WYSIWYG" router)

Again thanks to both of you for your time & expertise!

traditionally servers are generally fixed ips and are setup on first install that way, purely because in a corperate enviroment you have a range that is for servers only. As you have your router on .1 then assigning your proxymox/pihole install to .2 would be fine. That would also allow you to pass dhcp option 6 ipv4 to your clients and the list dns for ipv6 so your clients know your pihole at .2 is where they should be pulling DNS info from.

Clients live off DHCP assignments as they do not require fixed ips. In a home network DHCP reservations to keep things "semi" fixed can be useful. EG assigning TV boxes to the 200 range and leaving laptops phones etc in the 100-150 range.

The reason the windows clients grab one is down to Stateless address autoconfiguration (SLAAC).

The instructions in the wiki intercept the dns queries to dnsmasq in OpenWrt. If you want to intercept to a pihole you can try the solution here.

Yes, they sure do. I discovered this the hard way over the weekend when introducing OpenWRT to a location whose previous router didn't support IPv6 (not that I realized that at the time).

To complicate matters, it's a Windows Server domain, so suddenly all the machines were no longer getting the Windows Server IPv4 address as their primary DNS per usual. And that caused some subtle problems, explaining why Microsoft always recommends Windows Server being the primary.

Eventually, of course, after noticing the strange address as the primary DNS for everyone, I realized the need for disabling "Local IPv6 DNS server" on the router, as you found, too.