3

IPv6 encryption on UniFiOS

I have installed the NextDNS app on my UniFi Dream Machine Pro. When I have IPv6 turned off, all clients are going through the NextDNS servers encrypted. However, when IPv6 is enabled, all clients are using my ISPs DNS servers. I have tried uninstalling, reinstalling, restarting PCs, and I can't seem to get IPv6 to go through NextDNS. I am able to manually specify the NextDNS IPv6 DNS servers, but the data is then not encrypted.

Any assistance would be great.

Cheers

8 replies

null
    • Mike_Stevenson
    • 3 yrs ago
    • Reported - view

    Same situation here after installing NextDNS on my USG and setting the WAN side to use NextDNS manually I can see all the unencrypted requests that are going over IPv6 and not being intercepted by the local NextDNS service on the USG through the NextDNS logs on the site.

    • mlapida
    • 3 yrs ago
    • Reported - view

    I'm experiencing the same thing. I can't use IPv6 on my local network without using the unencrypted endpoint. 

    • Simon_L
    • 3 yrs ago
    • Reported - view

    Note: I'm currently DHCPv6 on my UDM to advertise IPv6 addresses on my local network, though changes required should be similar for PD setup. 

    What's happening here is that UDM is directly advertising NextDNS IPv6 (WAN) addresses to the clients to be set as their resolvers. What you want is to have all your clients use UDM as their resolvers, similarly to how IPv4 is setup.

    For me, I configured my DHCPv6 name servers to advertise the IPv6 equivalent IPv4 address of my router's subnet address. 

    E.g. if the gateway IP is configured to 192.168.10.1, set 0:0:0:0:0:ffff:c0a8:a01 as the DHCPv6 name server. You can use any IPv4 to IPv6 address conversion tools out there to obtain the IPV6 equivalent address. Depending (if any) of your firewall configurations, you may need to allow UDP 5553 (e.g. on your Guest network).

      • boosting1bar
      • 3 yrs ago
      • Reported - view

      Simon L I'm clearly still missing something.  This explanation made a lot of sense and I went through and changed my settings but even with the appropriate IPv6 eq address in the manual DNS I'm still not getting encrypted queries sent.

      • Simon_L
      • 3 yrs ago
      • Reported - view

      Brandon W Did you have your clients renew their dhcp lease (which should fetch the new resolver address)?

      • boosting1bar
      • 3 yrs ago
      • Reported - view

      Simon L I did, tried on a few different devices with reboots first then forced renewals.  Tried on Windows, MacOS, and Cent and all of them still pass through the queries unencrypted.  I know it's something simple I've buggered up but I'll be damned if I can find what it is!

      In the IPv4 section under my local network settings I've actually just left the DNS setting to auto and it properly goes through the client and sends all encrypted queries.  For kicks I tried setting the IPv6 to auto and it just sends them through cloudflare (I leave 1.1.1.1 in the WAN setting area in case the client breaks or NextDNS goes down).

      • Simon_L
      • 3 yrs ago
      • Reported - view

      Brandon W That's weird, even though your resolver addresses are up-to-date? E.g. in

      /etc/resolv.conf

      Yeah, the IPv4 `auto` setting defaults to the gateway address. 

      • mlapida
      • 3 yrs ago
      • Reported - view

      Simon L This is a fantastic solution! Thanks for sharing

Content aside

  • 3 Likes
  • 3 yrs agoLast active
  • 8Replies
  • 803Views
  • 5 Following