IPv6 with Pi-Hole, pfSense, and Windows Server DNS

If you’re unaware of what Pi-Hole is,  it’s a network-wide ad blocking server which uses DNS to achieve its goal. This is an ideal solution since your mobile device’s browser doesn’t have ad-blocking plugins like the desktop versions of Firefox, Chrome, etc.

It’s called Pi-Hole because it originally was meant to run on a Raspberry Pi as a cheap solution for folks that aren’t very tech savvy. For $20 you can buy one of these mini-computers to save yourself a lot of ad-induced frustration. In my case, I just run it in a Debian Linux virtual machine, since I have a dedicated VM host.

Since I’m running a home lab my setup is a lot more complex than a typical use-case. Ads were still creeping in over IPv6 because I don’t use Pi-Hole’s built in DHCP server, and I don’t have a lot of experience with IPv6 in the workplace. Because of that, I was seeking a solution to this issue rather than disabling IPv6 entirely. I have to credit a Pi-Hole forum user, spacemonkey, for the solution I needed to get Pi-Hole to working in my home lab. Screenshots and notes are my own.

DNS Overview

Before going onto the fixes, I’d like to explain my DNS setup so you know where I’m coming from. This is the flow for DNS traffic in my environment:

  1. Cloudflare DNS
  2. Pi-Hole (no DHCP enabled, just IPv6 Router Advertisement)
  3. Windows Server DNS (with IPv4 DHCP scope, no IPv6)

Set up Pi-Hole and pfSense (sic)

  1. Set ULA in RA subnet (pfsense)
    In Services > DHCPv6 > RA, under Advertisements, add a subnet fd00:: and prefix /64
    Note: We don’t need DHCPv6 server. It’s disabled by default – it’s ok to leave it as it is.
  2. Set static pihole IPv6 (ULA)
    On the pihole, set a static IPv6 (Debian in my case) fd00::20/64 without any gateway or DNS.
    Refresh your interface “ifdown ens160; ifup ens160” and check your IP with ifconfig.
    Ideally you should see an fe (link-local),fd(static ULA)and 2000 (GLA) IP, and you should be able to ping6 google.
  3. Check connectivity
    Now you should be able to ping pihole’s IPv6 (fd00::20) from your computer.
  4. Add pihole ULA in pfsense DNS
    In pfsense System > General, assuming you have already entered pihole’s IPv4 address there, add pihole’s IPv6 address as well with the gateway as none. RA will send the LAN interfaces’ IPv6 to clients (which changes on boot).
    Note: This is assuming that you have DNS forwarder enabled.
    A reboot maybe required to realize the setting done in step 1 and/or 4

– spacemonkey @ https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127/7

Notes and Screenshots

pfSense

pfSense Router Advertisements

Pi-Hole

To do all of this config you need to use SSH. The user and I both use Debian for our Pi-Hole instance, so this only applies to Debian.

sudo apt-get net-tools
nano /etc/network/interfaces
ifdown ens192; ifup ens192
ifconfig
reboot
Pi-Hole IPv6 config

The last three lines are all it takes.

Pi-Hole ifconfig

Now you have your IPv4 address, a local IPv6 ULA address assigned by pfSense, a static IPv6 address which goes into pfSense for DNS, a link-local IPv6 address, and finally a GLA IPv6 address which comes from your WAN.

I know that seems overkill, but the pfSense page needs that fd00::20 address, which never changes, to correctly advertise the DNS server in router advertisements.

IPv6 is special in the fact that you don’t run DHCP to serve a single address that needs to be routed. That’s why we have 4 addresses here. 🙂

Windows Server

Notice nothing special needs to be done on the Windows Server side. It just works!

Windows Server IPv6 settings
Windows Server DNS Manager
DNS Resolution Works

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.