Pi-hole’s IPv6 ad-blocking capabilities are often misunderstood, with many assuming it’s a simple on/off switch, when in reality, it’s a nuanced extension of its core DNS filtering that requires careful configuration to be truly effective.
Let’s see Pi-hole in action, blocking an IPv6-only ad server. Imagine a simple web page that tries to load an ad from doubleclick.net over IPv6.
Here’s a simplified tcpdump output from the Pi-hole itself, showing the DNS query and the subsequent block:
14:32:01.123456 IP6 2001:db8:abcd:1::1.54321 > 2001:db8:abcd:1::2.domain: 12345 [1au] AAAA? doubleclick.net.
14:32:01.654321 IP6 2001:db8:abcd:1::2.domain > 2001:db8:abcd:1::1.54321: 12345 0/1/0 (no answer)
The first line is a client (your device, 2001:db8:abcd:1::1) asking Pi-hole (2001:db8:abcd:1::2) for the IPv6 address (AAAA?) of doubleclick.net. The second line shows Pi-hole responding with an empty answer, signifying that the domain is blocked. If Pi-hole weren’t configured for IPv6 blocking, it would forward the query upstream and the client would receive an actual IPv6 address, displaying the ad.
The problem Pi-hole solves with IPv6 is that dual-stack networks, which use both IPv4 and IPv6, can bypass IPv4-only ad blockers. If an ad server only has an IPv6 address, and your Pi-hole is only configured to filter IPv4 DNS requests, traffic destined for that ad server will sail right through, unblocked.
Internally, Pi-hole treats IPv6 DNS requests just like IPv4 requests. When a client asks for an AAAA record (the IPv6 equivalent of an A record), Pi-hole checks its blocklists. If the requested domain is found in any of the lists, Pi-hole returns a "no such domain" response (an empty answer section in the DNS reply), effectively preventing the client from resolving the ad server’s IPv6 address. This is why the tcpdump output shows an empty answer.
The key levers you control are:
- Enabling IPv6 on Pi-hole: This is done during the initial installation by selecting "Yes" when prompted about enabling IPv6. If Pi-hole is already installed, you can reconfigure it by running
pihole -rand selecting "Reconfigure," then answering "Yes" to the IPv6 prompt. - DHCPv6 Server: If you want Pi-hole to hand out IPv6 addresses to your network clients and force them to use Pi-hole for DNS, you need to enable the DHCPv6 server. This is done in the Pi-hole web interface under "Settings" -> "DHCP" -> "Enable DHCPv6 server." Crucially, you also need to ensure your router is not also acting as a DHCPv6 server and providing its own DNS servers.
- Router Configuration: For clients to use Pi-hole for IPv6 DNS resolution, your router must be configured to advertise Pi-hole’s IPv6 address as the DNS server via RA (Router Advertisements) or DHCPv6. If your router is only advertising an IPv4 DNS server, clients will continue to use that for IPv4 traffic and may use other DNS servers (or their ISP’s DNS) for IPv6 traffic, bypassing Pi-hole.
The one thing most people don’t realize is that even if Pi-hole is listening for IPv6 DNS requests, your clients might not be sending them to Pi-hole if your router is configured to advertise a different IPv6 DNS server or if your network is set up in a way that doesn’t prioritize Pi-hole for IPv6 resolution. This often happens if you’ve manually configured a static IPv6 DNS server on your client devices instead of relying on DHCPv6 or RA.
Once your network is properly configured for IPv6 DNS forwarding, you’ll notice a significant reduction in ads on IPv6-only connections, bringing your dual-stack network closer to complete ad-blocking coverage.
The next hurdle is understanding how IPv6 privacy extensions can complicate tracking even when ads are blocked.