Unable to disable IPv6 DNS completely

I stopped and disabled the dnsmasq and odhcpd startup scripts to prevent OpenWrt from serving DNS and DHCP on my LAN (I have a pi-hole on my LAN that is configured to provide DHCP as well as acting as my DNS server), but ipconfig /all still lists my router's IPv6 address as a DNS server.

   DHCP Server . . . . . . . . . . . : 192.168.1.168
   DHCPv6 IAID . . . . . . . . . . . : 87332854
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-B5-A6-D6-34-97-F6-89-E4-FF
   DNS Servers . . . . . . . . . . . : fd1a:25d6:5a17:0:dea6:32ff:fecd:ef32
                                       fd2f:2c80:1113:0:dea6:32ff:fecd:ef32
                                       2601:602:c400:17f6:dea6:32ff:fecd:ef32
                                       192.168.1.168
                                       192.168.1.168
                                       2601:602:c400:17f6:dea6:32ff:fecd:ef32

fd1a:25d6:5a17:0:dea6:32ff:fecd:ef32 is OpenWrt's IPv6 address, the other DNS server entries belong to the pi-hole that I want to be the only DNS server my LAN clients use.

1 Like

and does is still do it if you do an

ipconfig /release
ipconfig /renew

No change after releasing/renewing IP

You probably need to make a complete power off everything in the network and power on everything again to get every client to forget the address they already have and expect to have until the timer that doesn’t exist anymore run out.

But I only turned off IPv6 DHCP servers and turned off IPv6 managment in the interfaces through LuCi which resulted in never to see any IPv6 anywhere again after a complete network power cycle.

You need to use different options for IPv6:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ipconfig

1 Like

Are you talking about waiting for the DHCP leases to expire? Because there aren't any current leases according to the web interface.

I also don't want to entirely disable IPv6, I just don't want OpenWrt giving out DNS addresses to my LAN clients that aren't my pi-hole, which isn't happening on IPv4 but is happening on IPv6.

Problem is the clients don't care (because they don't know) about you shutting the DHCPs down, until it's time to renew the IP lease.

Unless you force them to do so, with a shutdown, etc.

3 Likes

I don't think my issue has anything to do with DHCP specifically. My ipconfig output lists my pi-hole (192.168.1.168) as my DHCP server, which is working as intended. The problem is that fd1a:25d6:5a17:0:dea6:32ff:fecd:ef32 is my OpenWrt instance's IP address and fd1a:25d6:5a17:0:dea6:32ff:fecd:ef32 is appearing in my list of DNS servers, which I didn't think would happen after disabling dnsmasq.

What's probably going on is that the routers RA packets contain the DNS server address. You need to tell it to advertise the PI hole IPv6 address instead. There's an option for this under IPv6 advanced settings in LUCI I believe. I don't know the command line option.

Are you talking about the RA-Service setting for the LAN interface? It was disabled when I started, but I switched it to relay mode to see if it made a difference. My DNS server listings didn't change at all when I changed from disabled to relay mode, though.

You can specify Pi-hole's IPv6 ULA as DNS:
Providing custom DNS with DHCP

I ran the uci commands you suggested, rebooted OpenWrt, flushed my client's DNS cache, and re-ran ipconfig, but my DNS servers didn't change. I assume those settings aren't being read or applied since odhcpd is still disabled from luci's startup menu.

If odhcpd is disabled how are you sending RA? I thought it handled that

That's my point of confusion too. I'm not sure that I am, but I also don't know how my router's IPv6 address would end up in my client's list of DNS servers otherwise.

Perhaps some wiresharking from a client is in order

I took a quick glance with Wireshark, but that made things more confusing. For whatever reason, my desktop is communicating with a Google DNS server (8.8.8.8) occasionally when it's not communicating with my pi-hole. My pi-hole isn't using Google DNS as an upstream provider, and 8.8.8.8 isn't even one of the upstream server addresses I configured in OpenWrt's WAN interface. 8.8.8.8 also isn't one of the DNS servers listed when I inspect the ethernet adapter via ipconfig.

Also you appear to have two different ULAs, one starting with fd1a and the other with fd2f

I think I identified and corrected both of those issues. The random Google DNS entries were coming from an Android emulator I had running, and they went away as soon as I closed it. I previously had my pi-hole configured with a static IP address from when my ISP delegated an IPv6 address to me, but I only have an IPv4 external address currently (I'm guessing this caused my pi-hole to auto-generate a new ULA address when my IPv6 address changed). I updated my pi-hole's IPv6 address to use a ULA address within OpenWrt's LAN address range.

Ignoring the erroneous Google DNS entries, all my desktop's DNS traffic is between my desktop and my pi-hole, in spite of the DNS servers listed in ipconfig not updating to reflect what's actually happening on the network.

Make sure to update both DHCPv4 and DHCPv6 and flush DNS cache:

ipconfig /release & ipconfig /renew
ipconfig /release6 & ipconfig /renew6
ipconfig /flushdns

Disable DoH/DoT in the client brower/OS and set up DNS hijacking:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.