IPv6 - Advertise router as DNS

mattjhaigh · Mon Apr 02, 2018 1:38 am

The Advertise DNS option on the IPv6 ND submenu currently broadcasts all IPv6 resolvers listed in the IP/DNS Server.

This is unwanted behaviour - as IPv6 queries are not cached, and go direct to the IPv6 resolvers on the internet.

The IP DNS Server is IPv6 capable and is a caching name server.

Would it be possible to introduce a small change such that only the router's IP address, and hence the DNS server itself is broadcast, rather than its upstream resolvers.

This would make it much easier to introduce IPv6 on small networks.

Screenshots attached of proposed change - either in IP Address menu or in the ND menu.

Would appreciate your thoughts on getting this change made. Attempted to use DHCPv6 stateless config to do this but was not able to get to function as desired.

Matt

ipv6-address.png

nd-bridge-screenshot.png

Sob · Mon Apr 02, 2018 6:25 am

I'm sure it will happen eventually. It already works with DHCPv6, but only in 6.42rc. If you define DNS option and assign it to DHCPv6 server, it overrides resolvers from "/ip dns":

/ipv6 dhcp-server option
add code=23 name=mydns value=0x20010db8000000000000000000000001
/ipv6 dhcp-server
add <other options> dhcp-option=mydns

mattjhaigh · Mon Apr 02, 2018 12:23 pm

Thank you Sob. This is great. Could you explain the value-0x20010..... entry. I had tried DHCPv6 but could not configure. I must have been confused between the advertise and DHCPv6 stateful/stateless. Could you let me know what this value means?

I'm sure it will happen eventually. It already works with DHCPv6, but only in 6.42rc. If you define DNS option and assign it to DHCPv6 server, it overrides resolvers from "/ip dns":
Code: Select all
/ipv6 dhcp-server option
add code=23 name=mydns value=0x20010db8000000000000000000000001
/ipv6 dhcp-server
add <other options> dhcp-option=mydns

null31 · Mon Apr 02, 2018 3:35 pm

Another option to do on below of 6.42rc is:
Mark the options Advertise DNS and Other Configurations, then add a DHCPv6 server to advertise the DNS servers from /ip dns.

/ipv6 nd 
add advertise-dns=yes other-configuration=yes interface=bridge
/ipv6 dhcp-server 
add name=my-dhcp address-pool=static-only interface=bridge

Sob · Mon Apr 02, 2018 6:58 pm

@null31: The idea is to not advertise servers from "/ip dns", because we want clients to use DNS cache on router.

Option value is address in long form and without colons:

0x20010db8000000000000000000000001 = 2001:db8::1

If you need more, just put them one after another:

0x20010db800000000000000000000000120010db8000000000000000000000002 = 2001:db8::1, 2001:db8::2

While not the most admin friendly solution, it works. Don't advertise DNS in RA, enable Other Configuration, add DHCPv6 server without pool (it makes it stateless), add this option and clients will take it from there.

You can even script it for dynamic prefixes you get using DHCPv6 client from ISP. I didn't actually try it, because I'm not good with RouterOS scripts, but it's most likely possible.

mattjhaigh · Tue Apr 03, 2018 9:50 am

It the IPv6 address just in hex!

Thanks Sob.

Will experiment.

Will identify if the prefix my ISP is giving me is dynamic.

It would be great to have this implemented.

Matt

@null31: The idea is to not advertise servers from "/ip dns", because we want clients to use DNS cache on router.

Option value is address in long form and without colons:

0x20010db8000000000000000000000001 = 2001:db8::1

If you need more, just put them one after another:

0x20010db800000000000000000000000120010db8000000000000000000000002 = 2001:db8::1, 2001:db8::2

While not the most admin friendly solution, it works. Don't advertise DNS in RA, enable Other Configuration, add DHCPv6 server without pool (it makes it stateless), add this option and clients will take it from there.

You can even script it for dynamic prefixes you get using DHCPv6 client from ISP. I didn't actually try it, because I'm not good with RouterOS scripts, but it's most likely possible.

dksoft · Mon Apr 09, 2018 9:31 am

There is no need for scripting if you use ULA-addressing instead of GUA-addressing based on the IPv6 prefix from your ISP as ULA-addresses remain static.

E.g. create an ULA-pool:

/ipv6 pool
add name=ULA-pool6 prefix=fd00::/64 prefix-length=64

Assign an address to your router:

/ipv6 address
add address=fd00::1 comment="IPv6 ULA address" interface=LAN

And let DHCPv6 advertise your router as the intranet DNS server:

/ipv6 dhcp-server option
add code=23 name=DNS value=0xfd000000000000000000000000000001
/ipv6 dhcp-server
add dhcp-option=DNS interface=LAN lease-time=30m name=LAN-dhcp6

Even there is no hairpin on IPv6, it's a good idea to use split-DNS with ULA-adressing in your intranet. This is because a connection, like a Samba share, made to the GUA-address of your server will abort right at the moment your ISP provides you with a new IPv6-prefix.

Therefore use split-DNS with ULA-addressing:

/ip dns static
add address=10.0.0.1 name=samba-server
add address=10.0.0.1 name=samba-server.intra
add address=10.0.0.1 name=samba-server.internet.com
add address=fd00::1 name=samba-server ttl=1m
add address=fd00::1 name=samba-server.intra ttl=1m
add address=fd00::1 name=samba-server.internet.com ttl=1m

About IPv6 firewall-rules: Check the great new "address-list" feature. If you set the host to your DDNS record, it will automatically adopt your firewall rules. This depends on the DDNS TTL but works very simple without the need to script the firewall rules anymore.

In case of split-DNS, you have to make two DDNS entries. One for split-DNS and another one for "address-list".
This is because "address-list" will use the internal DNS which overwrites the host's GUA-address with the ULA-address as above.

E.g. if you make an additional DDNS entry with hostname "samba-server6.internet.com":

/ipv6 firewall address-list
add address=samba-server6.internet.com list=samba-server6.internet.com

You can setup your firewall rule like:

/ipv6 firewall filter
add action=accept chain=forward comment="Forward SSH/HTTP/HTTPS to samba-server.intra" dst-address-list=samba-server6.internet.com dst-port=22,80,443 in-interface=WAN protocol=tcp

TomSF · Fri Jul 13, 2018 12:02 am

Replying to dksoft.
It has been an adventure getting Win 10 to get the DNS address from the DHCPV6 server. One machine did it one time and then refused to get it again. I know there have been issues with Win 10 and IPV6 but I read that as of the Creator update (April 2017) it was supposed to support RDNSS. I also read that the RDNSS DHCP option is 25 so I created one just like your 23 option and set the DHCPV6 server to use both. Still no luck. I then read that to get things to work I had to disable IPv4 in Windows 10. Doing that resulted in an IPV6 only system but it couldn't get any DNS. I then re-enabled IPV4 and my 2 Win 10 machines got the fd00::1 address. Time will tell if I will still have them after the PCs are rebooted. Another thing I noticed is that a reboot of the router lost that address and I had to add it again. Would you expect the address to have survived a router reboot or should I write a script to automatically add it?

thewickerman666 · Fri May 31, 2019 7:31 am

dksoft,
this is excellent workaround and I can confirm that it works awesomely well. Thanks.

--

There is no need for scripting if you use ULA-addressing instead of GUA-addressing based on the IPv6 prefix from your ISP as ULA-addresses remain static.

E.g. create an ULA-pool:
Code: Select all
/ipv6 pool
add name=ULA-pool6 prefix=fd00::/64 prefix-length=64
Assign an address to your router:
Code: Select all
/ipv6 address
add address=fd00::1 comment="IPv6 ULA address" interface=LAN
And let DHCPv6 advertise your router as the intranet DNS server:
Code: Select all
/ipv6 dhcp-server option
add code=23 name=DNS value=0xfd000000000000000000000000000001
/ipv6 dhcp-server
add dhcp-option=DNS interface=LAN lease-time=30m name=LAN-dhcp6
Even there is no hairpin on IPv6, it's a good idea to use split-DNS with ULA-adressing in your intranet. This is because a connection, like a Samba share, made to the GUA-address of your server will abort right at the moment your ISP provides you with a new IPv6-prefix.

Therefore use split-DNS with ULA-addressing:
Code: Select all
/ip dns static
add address=10.0.0.1 name=samba-server
add address=10.0.0.1 name=samba-server.intra
add address=10.0.0.1 name=samba-server.internet.com
add address=fd00::1 name=samba-server ttl=1m
add address=fd00::1 name=samba-server.intra ttl=1m
add address=fd00::1 name=samba-server.internet.com ttl=1m
About IPv6 firewall-rules: Check the great new "address-list" feature. If you set the host to your DDNS record, it will automatically adopt your firewall rules. This depends on the DDNS TTL but works very simple without the need to script the firewall rules anymore.

In case of split-DNS, you have to make two DDNS entries. One for split-DNS and another one for "address-list".
This is because "address-list" will use the internal DNS which overwrites the host's GUA-address with the ULA-address as above.

E.g. if you make an additional DDNS entry with hostname "samba-server6.internet.com":
Code: Select all
/ipv6 firewall address-list
add address=samba-server6.internet.com list=samba-server6.internet.com
You can setup your firewall rule like:
Code: Select all
/ipv6 firewall filter
add action=accept chain=forward comment="Forward SSH/HTTP/HTTPS to samba-server.intra" dst-address-list=samba-server6.internet.com dst-port=22,80,443 in-interface=WAN protocol=tcp

theprojectgroup · Tue Nov 10, 2020 10:12 pm

Python3 Script to convert the IPv6 address of your DNS to HEX format in /ipv6 dhcp-server option
Install ip address module https://docs.python.org/3/library/ipaddress.html

#!/usr/bin/python3
# https://docs.python.org/3/library/ipaddress.html
# ^^ pip3 install ipaddress
import ipaddress
ip = input('Enter IPv6: ')
ip=ipaddress.IPv6Address(ip).exploded
print(ip)
iphex = ip.replace(':', '')
print('0x'+iphex)

Screenshot 2020-11-10 at 21.12.28.png

Znevna · Tue Nov 10, 2020 10:36 pm

why complicate your life?

 /ipv6 dhcp-server option> add code=23 name=dnstest value="'fe80::ceff:e0ff:fabc:abcd'"

 /ipv6 dhcp-server option> print                                                       
 # NAME                                            CODE VALUE                                           RAW-VALUE                                          
[...]                  
 4 dnstest                                           23 'fe80::ceff:e0ff:fabc:abcd'                     fe80000000000000ceffe0fffabcabcd

Sob · Tue Nov 10, 2020 10:57 pm

In my defense, I don't normally use dhcp options, manual only documents them for DHCPv4, example shows only IPv4 address, and it didn't occur to me that it supports IPv6 address too. :)

Znevna · Tue Nov 10, 2020 11:03 pm

Oh, I wasn't referring to the solution provided by you, but to the python script posted above.
Sorry :D

theprojectgroup · Wed Nov 11, 2020 11:07 pm

why complicate your life?

 /ipv6 dhcp-server option> add code=23 name=dnstest value="'fe80::ceff:e0ff:fabc:abcd'"

 /ipv6 dhcp-server option> print                                                       
 # NAME                                            CODE VALUE                                           RAW-VALUE                                          
[...]                  
 4 dnstest                                           23 'fe80::ceff:e0ff:fabc:abcd'                     fe80000000000000ceffe0fffabcabcd

Since which routerOS version is this possible? And why must it be in quotes @MikroTik?

For those who're interested how this looks in Wireshark when it actually working:

VMFOWin10 2020-11-11 21-59-48.png

Sob · Wed Nov 11, 2020 11:34 pm

DHCPv6 server has configurable options since 6.42. And support for IPv6 addresses as option values is even older, under DHCPv4 server, where I'm not sure if it's good for anything, but it's there. This is test with 6.18, I don't have anything older at hand:

[sob@AP2] > /ip dhcp-server option print 
 # NAME                         CODE VALUE                        RAW-VALUE                       
 0 test                           23 '2001:db8::1'                20010db8000000000000000000000001

Znevna · Wed Nov 11, 2020 11:53 pm

The wiki page for the DHCPv6 server is missing the options part even if there's a link to it in there (deserves a fix): https://wiki.mikrotik.com/wiki/Manual:I ... er#Options
But, in 6.42 came this:

*) dhcpv6-server - added DHCPv4 style user options;

And https://wiki.mikrotik.com/wiki/Manual:I ... CP_Options states this:

Starting from v6.8 available data types for options are:
0xXXXX - hex string (works also in v5)
'XXXXX' - string (works also in v5 but without ' ' around the text)
$(XXXXX) - variable (currently there are no variables for server)
'10.10.10.10' - IP address
s'10.10.10.10' - IP address converted to string
'10' - decimal number
s'10' - decimal number converted to string

And I remember I've tried entering the IPv6 address in there in '' and it worked. No script or other headaches needed.
Winbox caught up with this much later though as it seems, in 6.46.5:

*) winbox - added "Options" parameter support for DHCPv6 client and server;

Sela69 · Thu Jan 27, 2022 3:38 pm

Hi,

I'm trying to enable IPv6 in my local network, I don't undertand hot to advertise the router as DNS server using SLAAC. What I get is to advertise the external DNS servers and I've understood that DHCP Server IPV6 is not expected to be used to provide adrresses to "users".

I'm on 7.1.1 stable.

Thanks for helping me.

Sob · Thu Jan 27, 2022 4:45 pm

It's in /ipv6/nd, option advertise-dns=yes, and v7 has new option "dns", e.g dns=2001:db8::1,2002:db8::2.

Sela69 · Thu Jan 27, 2022 5:10 pm

It's in /ipv6/nd, option advertise-dns=yes, and v7 has new option "dns", e.g dns=2001:db8::1,2002:db8::2.

I'm sorry , I'm trying to look for this option "dns" reading official wiki, but I'm not able to find that ...

Is this one ? :

[admin@MikroTik] > ip dns set server=2001:db8::2
[admin@MikroTik] > ip dns print
servers: 2001:db8::2
...
[admin@MikroTik] > ipv6 nd set [f] advertise-dns=yes

Sob · Thu Jan 27, 2022 5:38 pm

It's here:

/ipv6 nd set X advertise-dns=yes dns=2001:db8::2

It looks like they forgot to document it. I initially missed it too, but someone mentioned it in another thread. Btw, you should use WinBox, the GUI is kind of self-documenting, you won't miss things so easily.

IPv6 - Advertise router as DNS [SOLVED]

IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS [SOLVED]

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Re: IPv6 - Advertise router as DNS

Who is online