# Unbound and IPV6



## Brian546 (Nov 16, 2020)

This is really not that important because at this rate I'll be dead before IPV6 really takes off. Anyway, for years we've had an unbound caching DNS server working flawlessly for our network. I thought maybe it would be worth future proofing it and running it on IPV6 as well. 

Maybe this is more of a general IPV6 question than an Unbound question: For those interfaces on your DNS server that only face the LAN what type of IPV6 address do you have the listen on? The interfaces facing my LANs don't have to go out to the internet, they just have to service DNS for my lan clients, while the  interface facing the internet though obviously will need a global unicast address. Those who have set up unbound in IPV6, do you have the interfaces on your lan side listening on just their link local address? Their global unicast address? Or both? I tried searching for a couple hours to find the best practice on this but couldn't really find a straight answer. 

Thank you in advance!


----------



## obsigna (Nov 17, 2020)

For LAN only, you want to assign IPv6 addresses from the special Unique Local Address block. Here I set up unbound as a recursive caching resolver on the gateway (FreeBSD 12.2-RELEASE) into the internet for all the clients in the LAN. And therefore unbound listens on the IPv4/6 link local addresses and on the IPv4/6 LAN addresses, but not on the WAN address of the gateway. Here I use the upper half (_fd00::/8_) of the ULA space. There is yet plenty of choice and RFC4193 has some guidelines on using a pseudorandom number generator. If you got a cat, then save yourself from reading all this stuff and instead let it run a sufficient number of times over the numeric keypad until you got a decimal number with 38 digits, then make a dec to hex conversion, and put ‚fd‘ in front of it 

My firewall on the gateway does not allow IPv6 connections to/from anything outside the LAN.


----------



## SirDice (Nov 18, 2020)

You can get a free IPv6 tunnelbroker from HE, that will give you a proper, global, /64 or /48 prefix you can use: https://tunnelbroker.net/

My Cable ISP does support IPv6 but not if you put their modem/router in bridge mode. As I want to do my own NAT, routing and such I'm more or less forced to use a tunnelbroker. Has been working quite well for at least a decade or so.


----------



## obsigna (Nov 18, 2020)

SirDice said:


> You can get a free IPv6 tunnelbroker from HE, that will give you a proper, global, /64 or /48 prefix you can use: https://tunnelbroker.net/
> 
> My Cable ISP does support IPv6 but not if you put their modem/router in bridge mode. As I want to do my own NAT, routing and such I'm more or less forced to use a tunnelbroker. Has been working quite well for at least a decade or so.


Are you responding to my note that my firewall does not allow IPv6 traffic? This is not a technical issue, I simply don't want IPv6 to/from the WAN, and I adjusted the firewall accordingly.


----------



## SirDice (Nov 18, 2020)

obsigna said:


> Are you responding to my note that my firewall does not allow IPv6 traffic? This is not a technical issue, I simply don't want IPv6 to/from the WAN, and I adjusted the firewall accordingly.


No, it's a possible solution for the original question. Setting up a IPv6 tunnelbroker and using your own global IPv6 range. It appears as Brian546 doesn't have IPv6 at all judging by the questions. It's rather pointless to run a IPv6 network locally if you don't have the IPv6 capability to talk to the outside world.


----------

