1

I set up an opnsense firewall that runs a DHCP server for IPv4 assignment in my LAN. Furthermore, as my ISP provides me with IPv6 too, my LAN clients also configure a SLAAC address with IPv6 prefix delegation. This works fine, too.

Now I am running some servers in my LAN, for example Proxmox. Of course the servers have fixed IP addresses, but I still want to be able to address them by their name.

In the DNS service of the firewall, I can add manual static entries. For example, for my Proxmox host, my IPv4 static entry looks like this:

pve0 A 192.168.1.10

now I would like to allow that pve0 can also resolve to an IPv6 address, so each client can choose on their own what protocol to use. I can make a static IPv6 address, too, but I am unsure which one to use. Should I use the link local address, or the one with the delegated prefix? for example

pve0 AAAA fe80::3eec:efff:fea1:1515

or should I use (redacted some bits of the address)

pve0 AAAA 2a00:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:6f8d

which is the clean and correct way to do it? and one bonus question, I see that lots of people are struggling with this: how can I achieve name resolution in the LAN also for dynamically allocated IPv6 addresses? for IPv4 it works, as DHCP adds automatically a DNS entry, but obviously for IPv6 SLAAC addresses, this is not possible. But still I noticed that some Windows 10 clients actually are able to resolve each other's name, so in some way it must be possible, but I don't understand how.

Improve this question
2
  • If I'm not wrong you need to use use the address with the delegated prefix ''pve0 AAAA 2a00:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:6f8d'' because the other one is only valid on the local link (interface). They cannot be routed or used by clients on different subnets. Commented Jun 8 at 11:43
  • good, what do I do if the delegated prefix changes? obviously one does not want to manually update the DNS records. Commented Jun 8 at 15:46

1 Answer 1

Reset to default
1

fe80: addresses are link-local – they are meaningless without additional information, that is, the interface (link) through which they should be contacted. (You might've seen it written as fe80::abc%eth0.) Because of this, they cannot be used in DNS. (They still work with mDNS as the multicast responses themselves are inherently local to a given link, but not with regular unicast DNS.)

Basically, treat fe80: link-local addresses as merely part of the underlying IP infrastructure (i.e. just something for SLAAC/DHCP/mDNS/OSPF to send packets through) and not as an actual user-facing address.

2xxx: addresses are global and suitable for use in DNS. But the delegated prefix has been issued by your ISP to your router through a DHCPv6 lease (with a few exceptions), so the stability of the prefix depends on the particular ISP. If you know that your prefix delegation lease is stable, you can use the addresses in DNS.

However, avoid addresses flagged temporary as they're temporary, i.e. the host will keep generating new suffixes under the same prefix. There will always be at least one "stable" address that you should use in DNS – it will sometimes have an mngtmpaddr flag or no flags.

If the prefix delegation from ISP is not stable, configure your router to have an additional "private" prefix that is stable. The fdXX: addresses – "unique local addresses" (ULA) – are roughly the IPv6 equivalent of 192.168/16, except you are supposed to generate the /64 prefix randomly instead of taking the "easy" all-zeros path. Much like 192.168, these are suitable for use in internal DNS – and much like 192.168 they make no sense in public DNS, but at least they're guaranteed to be stable.

Improve this answer
2
  • thanks. Indeed, I set up ULAs on my opnsense that are now advertised additionally to the prefix from the ISP and my LAN hosts get a 2xxx: address, as well as an fdde: address (I used the ULA generator unique-local-ipv6.com). And now I entered the ULAs of my LAN hosts into DNS. They configure themselves via SLAAC, but I think the SLAAC suffix should be stable as it depends on the MAC, and the prefix comes from the opnsense, so should be stable as well, so I have static internal IPv6 addresses for my SAMBA, NEXTCLOUD, GIT and whatnot servers. Commented Jun 10 at 5:51
  • Yes, the SLAAC suffix of the primary address can depend either on the MAC (if you see 'ff:fe' in the middle) or on some other identifier like "hash(prefix + /etc/machine-id)" or "hash(prefix + /etc/dhcpcd.duid)", but either way it should be stable. But the point was that many hosts configure multiple SLAAC addresses with in each prefix – one suffix stable, others not so much. Commented Jun 10 at 6:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.