TIL - User Error of Course
Reading time: 4 minutes (658 words)Author: @pugmiester
Tags: til , ipv6
As I mentioned in an ealier blog post we’re considering switching to a new home ISP in a cost saving exercise. That will of course mean a bit of work for yours trully and as we have IPv6 running on the home network it’s likely to be a little more work than if we just had plain old “legacy” IPv4 running.
I’m not having a dig at IPv6 by any means, it’s due to the way I’ve deployed IPv6 at home. If I wasn’t bothered about providing pihole DNS filtering and local DNS for all of the gubbins I have running on the various virtual servers in the office upstairs, things would be pretty much just plug an play, but then where’s the fun in that. It means I’m pointing our local DNS clients to my home DNS server using RDNSS from my pfSense firewall as well as a handfull of rules to allow clients on the various VLANs to reach pihole for all of the same DNS filtering goodness.
But, I digress. We’ve had a few odd network quirks over the last few weeks and there was nothing jumping out at me as being wrong. Obviously, there was something wrong that I’d put in place ages ago and not realised.
Backing up about 6 months, I bought a new router/firewall for home running pfSense and I configured it to manage all of the home VLANs. At the time, I spotted a few clients trying to circumvent the DNS servers they were being handed out by the router and were instead try to “phone home” directly. “I don’t think so!!”. Blocking those connections seemed to make things less happy so instead I opted to redirect them back to pihole. Not that difficult with pfSense as you can deploy a NAT redirection rule onto any interface.
I can hear you now, screaming at the screen, “But, what about the DNS connections from pihole itself?”. Well dear reader, I had a rule for that too. Any DNS connections from pihole get allowed out and any DNS requests not from pihole would get redirected back to pihole. Cool, cool. Except, then I added in rules for DNS using IPv6. These would allow clients on any VLAN to talk to pihole using its IPv6 address and things seemed to be happy. Hmmmmm
That was until this week when I started looking at my settings in preparation for our potential ISP switchover. I realised that although pihole was accepting DNS request over IPv6, it wasn’t sending any. More precisely, it was sending but getting no replies. That’s weird. If IPv6 is available, and preferred for most operating systems these days, why is it not working for pihole. I checked the config for pihole and it looked OK, I checked the config for unbound underneath pihole and it looked OK, so why can’t I get any reply from any public IPv6 DNS server from pihole? After a while of going round in circles, I was resigned to the fact that obviously our current ISP is blocking it and forcing us to use their antequated legacy IP DNS servers instead.
And then, the realisation. DOH!!!!!
Do you recall I mentioned about redirecting things that were not pihole back to pihole. Well, I did for legacy IP, but the rule I put in place for IPv6 didn’t include the same exclusion for pihole itself so every time pihole tried to perform a public DNS request over IPv6 it was being redirected back to itself. Yeah, that’s not how DNS is supposed to work.
So, having fixed the broken rule, there’s now a lot more IPv6 DNS in and out of my pihole server and things “feel” a little more settled. Time will tell if this was what was causing the general weirdness as it’s never been something we could make fail on demand.
So, I learnt a new thing today. Check your darned firewall rules properly.