Pi-hole v6 with Unbound - DNS Resolvers Not Reaching IPv6 Nameservers Despite Active IPv6 Connection

SudoMason · March 26, 2025, 12:13am

Hi,

I’m running Pi-hole v6 and Unbound on my DietPi setup, and both are working perfectly for IPv4. However, I’ve noticed that despite having an active IPv6 connection through my ISP, websites like https://www.dnscheck.tools/ report that my DNS resolvers cannot reach IPv6 nameservers.

Here’s what I’ve checked so far:

My router shows IPv6 is enabled and has an active IPv6 address.
In dietpi-config, under the network adapter section, IPv6 is enabled.
Running ip -6 addr confirms that my eth0 interface has an IPv6 address assigned.

However, when I test connectivity with ping6 -c 4 google.com, I get a “network is unreachable” error.

My question is: how can I configure my setup so that my DNS resolvers (Pi-hole/Unbound) can successfully reach IPv6 nameservers? Any advice or troubleshooting steps would be greatly appreciated!

Thanks!

trendy · March 26, 2025, 8:31am

What is the output of:

ip -6 ad ; ip -6 ro list table all; ip -6 ru
nslookup ipv6.google.com

Please make consistent changes in the public IPv6 addresses, for example 2001:1234: can be changed to 20ab:5678: for all.

Joulinar · March 26, 2025, 10:00am

Side note: In principle, IPv6 is not required for DNS resolution itself. IPv6 addresses can also be resolved via IPv4 without any problems

Example, resolve google IPv6 via 9.9.9.9

root@DietPiProd:~# dig google.com AAAA

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> google.com AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52021
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      AAAA

;; ANSWER SECTION:
google.com.             28      IN      AAAA    2a00:1450:4001:827::200e

;; Query time: 20 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Wed Mar 26 10:58:50 CET 2025
;; MSG SIZE  rcvd: 67

root@DietPiProd:~#

SudoMason · April 26, 2025, 1:34am

I understand. I just want this IPV6 message on the DNS check website in my OP to not produce the current error.

That’s my main objective here.

SudoMason · April 26, 2025, 1:40am

Can you expand on what you meant by this?

I want to share the output you asked about, but I’d like to avoid sharing sensitive info that fingerprints my system or network on a public forum. How can I go about that to help you help me?

Based on my observations, it appears that an unbound configuration issue may need fixing, as my ISP supports IPv6 and it’s enabled. Additionally, DietPi settings have IPv6 enabled, so I suspect unbound is the problem, though I could be mistaken.

trendy · April 27, 2025, 12:09pm

I meant that when you post the output of the above commands, change the characters to protect your privacy, but at the same time make it consistent, so we can point you to the culprit.
If your IPv6 is 2abc:1357:.... change it everywhere to 2bcd:2468:...

SudoMason · May 6, 2025, 9:51pm

Understood. Here is a randomized but consistent output:

root@DietPi:~# ip -6 ad ; ip -6 ro list table all; ip -6 ru
nslookup ipv6.google.com
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::a1b2:c3d4:5678:9012/64 scope link 
       valid_lft forever preferred_lft forever
3: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 state UNKNOWN qlen 500
    inet6 fd12:3456:789a::bcde:f012/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::1f2e:3d4c:5b6a:7890/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
fd12:3456:789a::53 dev tailscale0 table 52 metric 1024 pref medium
fd12:3456:789a::/48 dev tailscale0 table 52 metric 1024 pref medium
fd12:3456:789a::bcde:f012 dev tailscale0 proto kernel metric 256 pref medium
fe80::/64 dev tailscale0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fd12:3456:789a::bcde:f012 dev tailscale0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tailscale0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
local fe80::1f2e:3d4c:5b6a:7890 dev tailscale0 table local proto kernel metric 0 pref medium
local fe80::a1b2:c3d4:5678:9012 dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev tailscale0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
0:      from all lookup local
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
32766:  from all lookup main
Server:         10.28.87.2
Address:        10.28.87.2#53

Non-authoritative answer:
ipv6.google.com canonical name = ipv6.l.google.com.
Name:   ipv6.l.google.com
Address: 2607:f8b0:400a:805::200e

trendy · May 11, 2025, 10:40am

There is no global IPv6 address assigned to eth0.
Tailscale has some private address only.

SudoMason · May 11, 2025, 3:31pm

Hmm. So all I need to do is enable IPv6 DHCP in my router?

Joulinar · May 11, 2025, 4:04pm

What exactly is your use case? For what reason you need IPv6 an you local system? DNS resolution doesn’t require it.

SudoMason · May 11, 2025, 4:10pm

No specific use case, just want to turn the red “DNS resolvers cannot reach IPv6 nameservers” to green on dnstools.check. Experimenting and tinkering to make it happen. Nothing wrong with that.

I enabled IPv6 DHCP and I can see my LAN devices being assigned IPv6 addresses slowly. So far the dietpi hasn’t received one even though ipv6 is enabled in dietp-config.

Joulinar · May 11, 2025, 4:42pm

Simply reboot the device

SudoMason · May 11, 2025, 4:57pm

I did and still no ipv6 address is being assigned.

SudoMason · May 11, 2025, 5:14pm

When monitoring LAN devices in my router’s web interface, I see an IPv6 address briefly assigned to the DietPi device, but it quickly disappears. This keeps reoccurring every several minutes or so.

trendy · May 11, 2025, 6:31pm

Have you enabled IPv6 in dietpi-config > Network Options: Adapters first?

SudoMason · May 11, 2025, 6:48pm

Yes I have. It’s been enabled since the day I installed dietpi.

SudoMason · May 11, 2025, 6:56pm

I set the network DHCP IPv6 to ‘stateless dhcp v6 mode’.

I then set the primary and secondary DNS using the IPv6 address from the dietpi system that’s produced by executing ip -6 addr show eth0.

Rebooted the Pi and my router and most of my devices are showing IPv6, but the Raspberry Pi4 with dietpi is failing to do so.

trendy · May 11, 2025, 8:37pm

Run this:

cat << EOF > /etc/network/interfaces.d/ipv6.conf
iface eth0 inet6 dhcp
        # use SLAAC to get global IPv6 address from the router
        # we may not enable ipv6 forwarding, otherwise SLAAC gets disabled
        autoconf 1
        accept_ra 2
EOF

Then do an ifup eth0 or reboot

SudoMason · May 11, 2025, 8:47pm

The configuration worked, but my static IPv4 address disappeared so I changed it to:

sudo bash -c 'cat << EOF > /etc/network/interfaces.d/ipv6.conf
# IPv4 configuration
auto eth0
iface eth0 inet dhcp

# IPv6 configuration
iface eth0 inet6 dhcp
        autoconf 1
        accept_ra 2
EOF'

And now I have both IPv4 and IPv6.

SudoMason · May 11, 2025, 9:46pm

I checked dnscheck.tools again, but still the same red error on IPv6 nameservers not being reachable by my DNS resolvers.

Is there another step I’m supposed to do after assigning the IPv6 LAN IP simultaneously alongside the IPv4?