Hello, I have a small project I’m working on where I’m setting up a simple local DNS server for locally hosted name resolution.
Now reserving a private IPv4 address for the server is easy. IPv6…I’m having trouble figuring out. I want the private server to be able to forward DNS requests to both IPv4 & IPv6 public servers but I don’t know how to reserve a IPv6 address in my router for the private server as the option doesn’t appear to exist as it does for IPv4…
Can I just use DHCP and set that IP as Static or will I still run into the potential that the IP could be handed out again if the lease isn’t renewed by the same client?
My IPv6 knowledge is rather limited here so if someone could help clarify some of these issues it’d be appreciated.
The goal of this DNS server isn’t to access it from the Internet but for local clients to resolve host names of local servers and for all other requests to be forwarded to their respective IPv4/IPv6 public DNS providers.
…just can’t figure out how to set a static IPv6 address on the server and have that address not in the DHCP pool…right now the router settings don’t make sense to me for what IP’s I see network clients getting.
If you are getting prefix delegation you should not need to set up static ips/routing as well
The IPV6 addresses you see before dhcp/prefix delegation are probably the link-local ones (they start with fe80:…) you can’t use them to route IPV6 traffic ouside of your network (even DNS) … your best bet is to get prefix delegation working if available … what router/isp are you using?
PS:
this has really helped me getting the hang of IPV6 vs IPV4 concepts …
Spectrum & I cannot seem to find a model number on this thing but some Googling suggests it’s some sort of SAGEMCOM FAST 5280 RAC2V2S. Very basic.
In only the first minute he already made sense of how/why the clients come up with these bizarre random addresses after the 64 bit network/subnet portion. Will definitely keep watching.
The manual displays a series of IPV6 relatedtabs, but then there’s no explanation for them. Spectrum should be able to assign to your LAN a delegated prefix, size 56, you should look into your router tabs for the settings on the WAN side to use dhcp, and settings on the LAN side for a /56 delegated prefix … if all goes well and your LAN interface on the router gets an IPV6 address, all your LAN attached IPV6 devices should start getting IPV6 valid addresses through router advertisement , there’s no need to set up static IPs and/or DHCPv6 …
I’ve just sat through more of the video and he explained how SLAAC basically has the client assign itself an IP.
For my purposes here SLAAC was an option during OS installation and just like he said all it does is convert the 48-bit MAC into a 64-bit string and that becomes the client IP.
Given the MAC doesn’t change and they’re mean’t to be unique across a layer 2 network I’m now guessing I’ve been wrong this entire time about how IPv6 IP leasing works. Wrong in that it doesn’t exist. Or isn’t needed when using SLAAC at least.
The current plan is to use dnsmasq for local DNS resolution. I should be able to just go ahead and assign the DNS Server IPv6 address to the clients and everything should just work. No need to talk to the ISP. No need to reserve any IPv6 IP.
Unless you happen to see something wrong with that logic?
Now I dont have the same model but you router should be able to grab a prefix depending on how its assigned. Then your router being the DHCPv6 server should be able to assign an address and it will do so given a DUID and a lease time. You can statically map these.
Unfortunately in this router’s WebUI while DHCP has settings for reserving IPv4 addresses. DHCPv6 has absolutely nothing. No mention of DUID anywhere. I think it’s just a matter of the router wasn’t built with this feature because anybody who owns one of these would never use it…except me I guess.
I’ll have to test it to see if it works but SLAAC might just be the answer I was looking for. I’ll have to configure a new DNS Server instance and test it.
Then that will have to be the route you take. Ideally you should probably have a better router/firewall if your going to mess with what I said. I upgraded and never looked back because the pain that consumer routers are… is simply not worth it
Agreed. Unfortunately my current living situation doesn’t give me the freedom to do so. I briefly saw some articles talking about DUID so I have an inkling of an idea of what that is.
Future plans include building a pfSense box but that likely wont happen for a while longer. Til then I’m setting up SLAAC and I’ll see how it goes.
tl;dr initially home users were supposed to have a /48 assigned to them, but then the IETF decided to allow ISPs to decide how much IPv6 space home users can get, with Comcast (being the s*** company that it is), initially only giving a single /64. A /48 may not be given to everyone, with /56 being specifically mentioned to be the most considered one. Giving a single /64 is just too little.
IMO, the default should be /62 (4 subnets). If you want to have more subnets, a /58 (64 subnets) should be allowed. Keep in mind that with IPv4 you literally have a /16, a /12 and a /8 of private space and you can split them in however many more subnets you desire, even /30s. But IPv6 will not allow itself to be subnet-ed into anything less than a /64. This means that if you want to have more subnets with IPv6 and your ISP doesn’t delegate you more subnets, you are royally f***ed.
Regarding OP’s question, I believe there was a way to map the MAC address to a static DHCP suffix (the second /64 half) that you set yourself (stateful DHCPv6). And whenever the prefix changes from the ISP side, the suffix stays the same and the DNS entry gets updated.
But I don’t remember how it’s done, or if my mind is playing tricks on me. I don’t have a lot of experience with ipv6 and most of what I have is labs and courses, nothing practical.
Christ we are wasteful as fuck. How is /64 too little. If you need more addresses than is possible with a /64 that’s not a home network ffs. /60 IMHO should be more than enough let alone /56 or god forbid /48
People would hardly utilize this space at all. That’s a ton of devices even with iot, smartphones and tablets.
Then don’t split via subnet. Make virtual LANs inside the same space in a predefined range. IDK it seems wasteful to give people that many. Like right now I have /56 and /60 available to me.
A single /64 subnet is about 4 billion times the size of the entire IPv4 address space. We can afford to be wasteful. And I can’t do the math now, but we have enough subnets to not have to worry for a long, long time to come. And with a /62, I’ve been really generous to ISPs, because IETF recommends anywhere between /48 and /56, but these are just recommendations, with ISPs not giving people more than a /64, because there’s money to be made by selling business plans that come with more than 1 prefix.
The original proposal was to have /80s used for SLAAC and other auto configuration addresses, but then /64 was chosen as the size for it …
The notion of a /64 boundary in the address was introduced after the
initial design of IPv6, following a period when it was expected to be
at /80. There were two motivations for setting it at /64. One was
the original "8+8" proposal [ODELL] that eventually led to the
Identifier-Locator Network Protocol (ILNP) [RFC6741], which required
a fixed point for the split between local and wide-area parts of the
address. The other was the expectation that 64-bit Extended Unique
Identifier (EUI-64) Media Access Control (MAC) addresses would become
widespread in place of 48-bit addresses, coupled with the plan at
that time that auto-configured addresses would normally be based on
interface identifiers derived from MAC addresses.
As a result, RFC 4291 describes a method of forming interface
identifiers from IEEE EUI-64 hardware addresses [IEEE802], and this
specifies that such interface identifiers are 64 bits long. Various
other methods of forming interface identifiers also specify a length
of 64 bits. The addressing architecture, as modified by [RFC7136],
states that:
For all unicast addresses, except those that start with the binary
value 000, Interface IDs are required to be 64 bits long. If
derived from an IEEE MAC-layer address, they must be constructed
in Modified EUI-64 format.
The de facto length of almost all IPv6 interface identifiers is
therefore 64 bits. The only documented exception is in [RFC6164],
which standardizes 127-bit prefixes for point-to-point links between
routers, among other things, to avoid a loop condition known as the
ping-pong problem.
When using SLAAC, the first 64 bit of your IPV6 address need to be routed (i.e. there’s no NAT involved), so yes, you or better, your router, need to talk with your ISP and ask, out of the /56 prefix delegation, a single /64 subnet to be allocated for your LAN.
Once your router is given that, it can then advertise that first /64 bit prefix on your LAN (different than DHCP where the whole ip addresses are handed out) and your clients will grab it, couple it with your 64 bit generated device identifier, and assign themselves a valid (routable) IPV6 address.
You can then configure (either through dhcp if your router allows it or manually) the IPV6 DNS forwarding IPV6 IPs in your clients and you’re good to go.
If you want to assign private IPv6 addresses to your LAN, then you willll be able to assign a different subnet/range and you will need a router that supports:
configuring DHCPv6
NATting IPV6 to your WAN IPV6 address (IPV4 like)
provide DNS forwarding services through either the LAN or WAN IPV6 IP
This looks like a tall order of business for your ISP provider router.
Pfsense would probably be able to do it, Vyos would probably be able to do it as well …
As for the
Given the MAC doesn’t change
… that depends … the unique mapping from mac addresses to global UIDs was thought in a time where security wasn’t really needed and this presents a pretty important security challenge, given that in IPV6 NAT isn’t really domething that should happen. Hence, once I know your mac, and I know your prefix, I know your internal, local IPV6 address no matter where you hook up your device in your LAN …
Also, every time you connect somewhere you’re basically giving away your MAC address …
To address that Linux can generate an UID that does not depend on the MAC address, but you need to specify it in the config (actually, depending on the distribution, it may be enabled by default)
OSX tries to be clever and generates two IPV6 addresses, one using the MAC and used for incoming connections (the original puprose of it) and the other temporary and used whenever IPV6 traffic is originated from the device …
I wanna say 65~70% of everything you just said made sense to me…
At this level of complexity if NAT isn’t being used between the LAN & WAN & that means I have to talk to my ISP to delegate a subnet or range of IP’s for me to use I’m better off just sticking with IPv4 DNS resolution. The entire network is dual stacked but it’s a bit of a let-down that the process is that involved.
I’ve been told time and time again that IPv6 is supposed to be easier than IPv4. Although I’ll trust that there is some truth to that everything you’ve just told me says IPv6 is a heck of a lot harder if you want to host a local server and make it’s IP static.
Let me ask this question. Maybe you have an answer maybe not. With dnsmasq or if you don’t have experience with that any other DNS provider software, is it possible to have IPv4 failover to IPv6?
The idea I have is basically can I cheat? If I just setup IPv4 DNS on the LAN, provide the local IP to all my clients but add public IPv6 servers to the local DNS servers configuration can it take a IPv4 domain name request and forward it to an IPv6 network if it can’t resolve it?
This is something I could test myself and I very likely will because the whole proper IPv6 process is seriously too involved for what I have in mind.
In theory a static IPv6 should be as simple as remembering your prefix and then assigning the adress like so - prefix:subnet::xx
So assuming prefix feed:dead:fade, subnet 3gf and xx any two digit hex number like 42 your server address becomes feed:dead:fade:3gf::42.
Then you need to route this properly by opening the proper ports in your firewall, assign DNS names and so on. So yes, easier once you know the hoops, harder of you are stuck in the broken “NAT is essential to our security!” mentality.
In practice, IPv6 is still new, untested and largely unsupported, even today IPv4 only software is written. So, yeah, still got a bumpy road ahead.
With the proper hardware, and a sane config from your provider, it ‘just works’ … you enable IPV6 on the router and on the clients, they autoconfigure and you’re set
If you want to ‘fiddle’ with that / use a dumb router that doesn’t let you use the autoconfig then you are (as usual) supposed to try it out and see if it works for you.
That requires to get familiar with the technology, and it doesn’t help that ISPs that are supposed to be assigning to you whan in effect is static IPV6 addresses try and make it very hard by having them change
One of the dumbest is the one we have in Italy … it has been ‘experimenting’ with IPV6 since almost ten years now, it supports prefix delegation, but it routers IPV6 traffic on a slower interconnect, and assigns to you a new prefix every 180 seconds … go figure
I briefly saw some articles talking about DUID so I have an inkling of an idea of what that is.