IPv6 RA: how do you advertise the gateway address as DNS to clients?

I’m moving from pfSense and this is my first time using vyos. So I apologize for the simple question.

## WAN
set interfaces ethernet hn0 description 'WAN'
set interfaces ethernet hn0 address 'dhcpv6'
set interfaces ethernet hn0 dhcpv6-options pd 0 length '60'

set interfaces ethernet hn0 dhcpv6-options pd 0 interface hn1 sla-id '1'
set interfaces ethernet hn0 dhcpv6-options pd 0 interface hn2 sla-id '2'

## LAN
set interfaces ethernet hn1 description 'LAN'
set interfaces ethernet hn1 ipv6 address autoconf

## DMZ
set interfaces ethernet hn2 description 'DMZ'
set interfaces ethernet hn2 ipv6 address autoconf

## RA
set service router-advert interface hn1 other-config-flag
set service router-advert interface hn1 prefix ::/64
set service router-advert interface hn1 name-server ???

set service router-advert interface hn2 other-config-flag
set service router-advert interface hn2 prefix ::/64
set service router-advert interface hn2 name-server ???

How do I advertise to LAN and DMZ clients the gateway (vyos router itself) as name-server?

Hi there. Are you running dual-stack? If so, how are the IPv4 clients getting their DNS server option? The same server should be able to be used for AAAA lookup. What’s the use-case?

Yes, I’m running a dual stack.

IPv4 clients are getting DNS via DHCP. But I want only SLAAC for IPv6 since Android doesn’t support DHCPv6.

The use case is to setup a split DNS using:

set system static-host-mapping host-name ...

Is RDNSS supported? Is RA automatically providing the IPv6 address of the gateway if none are specified?

I’m not entirely well-versed in IPv6 but your situation sounds similar to my home network which is why I’m asking what the end goal is. I use SLAAC for IPv6 but I’m only declaring my DNS servers from my IPv4 DHCP servers with IPv4 addresses. The clients “are smart enough” to ask for the AAAA record.

The only thing I don’t have is the IPv6 address for my LAN members in my local DNS which I’m -not sure- is possible with SLAAC unless you’re intercepting packets.

Of course it’s possible. I’m currently using opnsense and the RA (set to unmanaged/SLAAC) is automatically advertising my local DNS to all my clients (Windows, Linux, Android).
I wanted to switch to vyos because I prefer linux.

I don’t believe VyOS has the necessary infrastructure to support advertising itself as a DNS server over RDNSS in a dynamic prefix environment.

This configuration requires non-trivial scripting in any software-based router because radvd doesn’t have this functionality built in. It’s tricky to get right because the RDNSS broadcast has to be invalidated each time the delegated prefix changes.

The most straight-forward way to do DNS over IPv6 is to announce a ULA subnet in parallel with the delegated prefix from your ISP and announce the router’s ULA address in RDNSS.

Note that Android devices will get IPv4 DNS servers from DHCPv4 even if there are no RDNSS broadcasts announcing IPv6 DNS servers.

It is not possible, using off-the-shelf-tools, to automatically register client devices’ SLAAC addresses in local DNS. SLAAC addresses are derived by the client with limited router involvement, so the router has no way to know which address corresponds to which device.

If you want to register client devices in DNS AAAA records on the LAN, you can either run a dynamic DNS update agent on the clients or announce, in parallel to your delegated prefix, a ULA subnet that uses DHCPv6. In the latter case, the clients will use SLAAC-derived addresses for Internet connectivity and will be reachable on ULA addresses for inter-LAN connectivity. I’m not familiar enough with VyOS to know if this is possible on the VyOS platform.

There are non-standard ways to attach SLAAC addresses to DNS, such as by harvesting data from the router’s NDP cache, snooping on NDP packets using pcap, or snooping on conntrack data from netfilter, but I have yet to find an open-source router that can do this.

Unless you have a static prefix, do not use DHCPv6 to allocate IPv6 Internet addresses to client machines. DHCPv6 has no means to propagate prefix changes to clients, so when your ISP gives you a new prefix, client IPv6 connectivity will break until the clients renew their DHCPv6 leases.

1 Like

By always using the same DHCPv6c DUID-UUID, Comcast hasn’t changed our 60 bit PD in more than two years now. All the SLAAC addresses then become quasi-static, so we simply manually add them to our DNS server. We don’t use DHCPv6 server at all.

Not sure what kind of magic opnsense is doing with RA-RDNSS but it has been successfully providing the gateway IPv6 address as DNS server to all our clients (Linux, Windows, Android).

Opnsense unbound is setup to redirects internal domain queries to our DNS server and everything else to Google servers.

It has been working really well so far, but I wanted to switch to vyos because I personally prefer linux over freebsd.

Opnsense doesn’t do anything particularly unusual with RDNSS. It just adds the IPv6 address of its LAN interface(s) to the RDNSS broadcast. This works perfectly well if you have a static (or at least very stable) prefix.

Given that you have a stable prefix, you could emulate this behavior in VyOS simply by manually copying the VyOS router’s LAN-side IPv6 address into the configuration. (i.e. set service router-advert interface hn1 name-server <VyOS LAN IPv6 Address>.

My experience with Opnsense RDNSS is that it will break when the upstream prefix changes. RDNSS updates do not propagate to the clients in a timely fashion, which means that, following a prefix change, DNS lookups become very slow as clients time out on DNS-over-IPv6 requests before falling back to IPv4 DNS announced by DHCP.

IPv6 handling on all of the software router distributions is pretty awful in one way or another.