Pi-hole, FRITZ!Box & IPv6

published: / last edited:

I'm using a FRITZ!Box 3490, but it should work with all (modern) FRITZ!Box variants. All the FRITZ!Box settings are noted in german, I may update this later to the correct english setting names.

This is how it is configured: the Pi-hole is the primary DNS server, FRITZ!Box is the Upstream DNS-Server and the DHCP server. So new DNS requests go to the Pi-hole, and if not blocked are forwarded to the FRITZ!Box, which itself forwards it (if its not an internal client) to quad9. The Pi-hole also has some local DNS and CNAME records, which get priority over the FRITZ!Box.

IPv6 is enabled in the FRITZ!Box. The Pi-hole has a static IP-address.

Go to Heimnetz - Netzwerk - Netzwerkeinstellungen. At IP-Adressen click the IPv4-Einstellungen button and add the Pi-hole IPv4 address as the Lokaler DNS-Server address. DHCP-Server aktivieren must be set to true.

Go to Heimnetz - Netzwerk - Netzwerkeinstellungen. At IP-Adressen click the IPv6-Einstellungen button. Set Router Advertisment im LAN aktiv to true, and set it to Unique Local Addresses (ULA) immer zuweisen. I set the prefix to fd00::/64. You may want to restart your FRITZ!Box and the Pi-hole now, to make sure they get a new IPv6 address with the correct ULA-Präfix.

On the same page, set DNSv6-Server auch über Router Advertisement bekanntgeben (RFC 5006) to true, and add the Pi-hole IPv6 address as your Lokaler DNSv6-Server. Use the IPv6 address that starts with the ULA-Präfix, in my case the address that starts with fd00.

On the same page, at Unique Local Address Ihrer FRITZ!Box you can find the IPv6 of your FRITZ!Box (or use ping fritz.box -6 from your Pi-hole).

The IPv6 address of your FRITZ!Box must be added in your Pi-hole under Settings - DNS - Upstream DNS Servers as Custom 3 (IPv6). Also add the IPv4 of your FRITZ!Box as Custom 1 (IPv4) - this should be but you can also use ping fritz.box -4 to find it. All other Upstream DNS Servers must be disabled. At Advanced DNS Settings, both Never forward non-FQDN A and AAAA queries and Never forward reverse lookups for private IP ranges must be disabled, and Use Conditional Forwarding must be enabled, with the Local network in CIDR notation set to (or whatever your range is) and IP address of your DHCP server (router) must be set to - all those settings are needed for Pi-hole to get the client names (otherwise, the logs would only show the IP address)

Have a comment? Drop me an email!