在阅读了一些有关如何使用 docker 和 IPv6 设置 PiHole 的指南后,我尝试在我的网络中进行操作。首先,我的 ISP 为我提供了前缀委托,然后使用该前缀委托通过路由器分配 (RA) 向网络的其余部分提供地址。该前缀不是静态的,而是每隔几天轮换一次。
ULA 设置
我正在使用 Ubiquity UDM-Pro,并且已将 ULA 前缀添加到br0接口中,如下所示,
ip address add fd79:71d8:a0b7::1/64 dev br0
此后,我的所有支持 IPv6 的设备都会立即分配带有该前缀的 ULA 地址。
码头配置
为了让 docker 工作,我必须显式启用 IPv6 并提供 cidr 范围。为此,我创建了包含以下内容的daemon.json文件,/etc/docker
{
"ipv6": true,
"fixed-cidr-v6": "fd79:71d8:a0b7::/80"
}
ip6tables然后我在以下命令中添加到 NAT 表中,
sudo ip6tables -t nat -A POSTROUTING -s fd79:71d8:a0b7::/80 ! -o docker0 -j MASQUERADE
这允许docker0接口接收 IPv6 流量。当然,由于这些更改不会在重新启动后持续存在,因此我还安装了iptables-persistent允许netfilter-persistent这些更改在重新启动后持续存在的软件包。
我检查了可以使用以下方式建立 IPv6 连接:
$ docker run --rm -t busybox ping6 -c 4 google.com
PING google.com (2a00:1450:4017:811::200e): 56 data bytes
64 bytes from 2a00:1450:4017:811::200e: seq=0 ttl=56 time=62.514 ms
64 bytes from 2a00:1450:4017:811::200e: seq=1 ttl=56 time=61.256 ms
64 bytes from 2a00:1450:4017:811::200e: seq=2 ttl=56 time=61.503 ms
64 bytes from 2a00:1450:4017:811::200e: seq=3 ttl=56 time=61.850 ms
--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 61.256/61.780/62.514 ms
针孔结构
的配置pihole相当简单,我使用以下yaml保存的pihole.yaml内容docker-compose,
version: "3.8"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
# dns ports
- "53:53/tcp"
- "53:53/udp"
# ports for http interface
- "19080:80/tcp"
- "19443:443/tcp"
environment:
# redacted full address
FTLCONF_LOCAL_IPV4: 10.10.x.25
# redacted full address
FTLCONF_LOCAL_IPV6: fd79:71d8:a0b7:0:...:ae38
# IPs of your DNS entries
dns:
# this is for resolved conf, assuming you have ubuntu and disabled it
- 127.0.0.1
# proper DNS entries follow
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped
我使用docker-compose -f pihole.yaml up.
问题:回复来自另一个地址或超时
问题是我无法在其他计算机上使用它。在图像正在运行的机器中,docker我可以dig毫无问题地使用。例如,如果我在主机中键入命令,我会得到以下内容:
$ dig @fd79:71d8:a0b7:0:...:ae38 -p 53 google.com AAAA
; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> @fd79:71d8:a0b7:0:...:ae38 -p 53 google.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60684
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN AAAA
;; ANSWER SECTION:
google.com. 83 IN AAAA 2a00:1450:4017:805::200e
;; Query time: 8 msec
;; SERVER: fd79:71d8:a0b7:0:...:ae38#53(fd79:71d8:a0b7:0:...:ae38) (UDP)
;; WHEN: Mon May 15 01:44:42 EEST 2023
;; MSG SIZE rcvd: 67
然而,然后我在另一台基于 Linux 的机器上输入这个命令 - 该命令只是超时,即,
dig -6 @fd79:71d8:a0b7:0:...:ae38 -p 53 google.com
;; communications error to fd79:71d8:a0b7:0:...:ae38#53: timed out
;; communications error to fd79:71d8:a0b7:0:...:ae38#53: timed out
;; communications error to fd79:71d8:a0b7:0:...:ae38#53: timed out
; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> -6 @fd79:71d8:a0b7:0:...:ae38 -p 53 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached
为了进行调查,我试图查看该地址是否被阻止或类似的内容,但netcat显示该端口已开放营业,
nc -z fd79:71d8:a0b7:0:...:ae38 53 -v
Connection to fd79:71d8:a0b7:0:...:ae38 53 port [tcp/domain] succeeded!
经过进一步调查,似乎dig从 MacOS 使用它提供了更多信息。连接本身似乎没有超时,但来自的回复其他地址。
MacOS 中的输出dig如下,使用与之前相同的地址,
$ dig -6 @fd79:71d8:a0b7:0:...:ae38 google.com
;; reply from unexpected source: fd79:71d8:a0b7::60b#53, expected fd79:71d8:a0b7:0:...:ae38#53
;; reply from unexpected source: fd79:71d8:a0b7::60b#53, expected fd79:71d8:a0b7:0:...:ae38#53
; <<>> DiG 9.10.6 <<>> -6 @fd79:71d8:a0b7:0:5043:6018:fb4f:ae38 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
使用据说提供答案的地址可以按预期工作,
dig -6 @fd79:71d8:a0b7::60b google.com
; <<>> DiG 9.10.6 <<>> -6 @fd79:71d8:a0b7::60b google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9440
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 156 IN A 172.217.17.142
;; Query time: 22 msec
;; SERVER: fd79:71d8:a0b7::60b#53(fd79:71d8:a0b7::60b)
;; WHEN: Mon May 15 01:51:58 EEST 2023
;; MSG SIZE rcvd: 55
使用查看接口 IPip -6 addr show dev enp9s0f1可以发现以下内容:
5: enp9s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether b4:xx:xx:xx:xx:a6 brd ff:ff:ff:ff:ff:ff
inet 10.10.x.25/24 brd 10.10.x.255 scope global dynamic noprefixroute enp9s0f1
valid_lft 83538sec preferred_lft 83538sec
inet6 2a02:587:<redacted>/128 scope global dynamic noprefixroute
valid_lft 83539sec preferred_lft 83539sec
inet6 fd79:71d8:a0b7::60b/128 scope global dynamic noprefixroute
valid_lft 83539sec preferred_lft 83539sec
inet6 2a02:587:<redacted>/64 scope global dynamic noprefixroute
valid_lft 73590sec preferred_lft 73590sec
inet6 fd79:71d8:a0b7:0:...:ae38/64 scope global dynamic noprefixroute
valid_lft 86138sec preferred_lft 86138sec
inet6 fe80::1ea:<redacted>:eb62/64 scope link noprefixroute
valid_lft forever preferred_lft forever
为什么回复来自另一个地址?我已禁用 RFC4941,它使用不同的地址作为出站地址,从这里可以看出,
$ nmcli con show "Wired connection 4" | grep ipv6.ip
ipv6.ip6-privacy: 0 (disabled)
IPv6的路由如下:
$ ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2a02:587:...::60b dev enp9s0f1 proto kernel metric 100 pref medium
2a02:587:...::/64 dev enp9s0f1 proto ra metric 100 pref medium
fd79:71d8:a0b7::60b dev enp9s0f1 proto kernel metric 100 pref medium
fd79:71d8:a0b7::/80 dev docker0 proto kernel metric 256 linkdown pref medium
fd79:71d8:a0b7::/80 dev docker0 metric 1024 linkdown pref medium
fd79:71d8:a0b7::/64 dev enp9s0f1 proto ra metric 100 pref medium
fe80::/64 dev docker0 proto kernel metric 256 linkdown pref medium
fe80::/64 dev br-5c9052b3a88b proto kernel metric 256 pref medium
fe80::/64 dev br-ba2b20fe7aa1 proto kernel metric 256 pref medium
fe80::/64 dev veth3fb9416 proto kernel metric 256 pref medium
fe80::/64 dev veth7a050e3 proto kernel metric 256 pref medium
fe80::/64 dev vethe299802 proto kernel metric 256 pref medium
fe80::/64 dev veth5110238 proto kernel metric 256 pref medium
fe80::/64 dev cali7ffb27b031d proto kernel metric 256 pref medium
fe80::/64 dev calib5cff4a4a14 proto kernel metric 256 pref medium
fe80::/64 dev cali6b881403436 proto kernel metric 256 pref medium
fe80::/64 dev calib1a2ba7ef9f proto kernel metric 256 pref medium
fe80::/64 dev cali20c73fad203 proto kernel metric 256 pref medium
fe80::/64 dev calib05d5a88d5c proto kernel metric 256 pref medium
fe80::/64 dev vxlan.calico proto kernel metric 256 pref medium
fe80::/64 dev enp9s0f1 proto kernel metric 1024 pref medium
default via fe80::...:62b3 dev enp9s0f1 proto ra metric 100 pref high
谁能帮助我理解为什么会发生这种情况?我只是不明白为什么响应总是来自另一个地址...我想为我的 DNS 服务器使用稳定的 ULA 地址,因为我无法使用 ISP 提供的前缀,因为它会随着时间的推移而变化,也无法使用隐私地址同样,这些随着时间的推移而改变。