IPv6 DNS and DNS Hijacking
I do IT Security work and have a test lab at home. I recently upgraded to AT&T Gigapower 100Mbps from AT&T Uverse vDSL 18mbps. When we were on vDSL, everything in my network ran fine. All of the clients got their DNS from the DHCP server and pool. When IPv6 was turned on, the AT&T router would provide RAs with the O-bit set, and my Stateless DHCPv6 server (RFC 3736: http://tools.ietf.org/html/rfc3736) would provide the DNS server addresses and DNS search names for the internal hosts.
Now that we're on the upgraded Gigapower, and have new equipment, the O-bit is set, but the router is appending additional headers to the RA packet, including itself as a DNS server.
I need to disable that, OR tell the router to send my internal DNS servers as the DNS servers instead. I don't see this option in the 5268AC router.
How do I use my own internal DNS servers for IPv6?
Also, How do I get AT&T to disable DNS hijacking?
$ dig thisshouldnotresolve.fu @192.168.1.254
; <<>> DiG 9.10.3-P4-Ubuntu <<>> thisshouldnotresolve.fu @192.168.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10986
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thisshouldnotresolve.fu. IN A
;; ANSWER SECTION:
thisshouldnotresolve.fu. 10 IN A 18.104.22.168
thisshouldnotresolve.fu. 10 IN A 22.214.171.124
I *should* be getting NXDOMAIN. AT&T keeps redirecting me to ConnectTech to pay to fix my Windows 10 install, so that's been fruitless, since it's 100% in their network and config, as far as my tcpdumps tell me. Any assistance anyone can provide would be great.
PS: for those wondering what DNS hijacking is, see: https://www.wired.com/story/what-is-dns-hijacking/ and https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs - it's a security problem.