Ensuring a safe environment online for children is very important, the internet is absolutely full of people and websites that are either specifically intent on causing harm, or are at very least something you don’t want a child looking at.

Filtering the internet in your home is often very easy, most ISPs now provide filtered internet options. In most cases this is based on DNS and works by either not returning a DNS lookup result for blocked content, or returning the IP of a block page instead so the user is aware that they’ve been blocked from accessing it. In some cases it even blocks non-filtered DNS.

However, if you’re using IPv6 via a tunnel provider then most likely a lot of content is now getting through without you even realising it.

Double edged sword

Perhaps as little as 6 months ago, having IPv6 enabled on your network via a tunnel alongside a filtered IPv4 internet xDSL/cable connection was no problem. At best the occasional bit of Google, YouTube, or Facebook traffic from a regular user would end up going via IPv6, but the large majority was IPv4. Until relatively recently IPv6 was not widely used and the risk of a regular users traffic accidentally ending up in IPv6 land was low, the tunnel was likely setup so you could play! (I’m assuming as the reader of this blog that you’re the technical one!)

The problem is that IPv6 is beginning to really take off, with the release of iOS 9 and OS X El Capitan, IPv6 will be the default and those operating systems will use IPv6 first and IPv4 only if the former isn’t available. And this sort of switch is only happening now because IPv6 is fairly widespread, almost all major websites are now IPv6 enabled, and in particular adult content and similar is becoming IPv6 enabled, although the reasoning for this is unclear.

How do I filter IPv6?

So with your IPv6 tunnel up and running over your ISPs filtered IPv4 internet, how does one keep the family safe in this new world of hexadecimal wonderment? In the same way, filtered DNS.

Filtered IPv6 DNS however is not as widespread; neither OpenDNS, Dyn, or Norton provide filtered IPv6. In the case of OpenDNS an IPv6 option is available but it isn’t filtered, it’s just a regular recursive DNS server. So, what are the options?

After much searching I found only one option, Yandex. Who are Yandex you ask? They are the number one search engine in Russia, and a leading search engine in several eastern European countries.

Setting up filtered IPv6 DNS

To setup Yandex as your DNS server depends on your router and how your tunnel is setup. I am going to assume that your network is setup as the IPv6 gods intended with stateless auto-configuration, in which case all you should need to do is add the following to your DNS server configuration on the router.

  • Primary: 2a02:6b8::feed:a11
  • Secondary: 2a02:6b8:0:1::feed:a11

If you’re using DHCPv6 then you will need to configure the DHCP server to use those DNS servers for leases.

With that configured all the users on your network are going to be getting either filtered DNS from your ISPs filtered DNS, or your filtered IPv6 DNS through the IPv6 tunnel.

Also, Yandex do provide some other filtered options, such as just malware sites for example. To learn more about Yandex’s DNS services check out https://dns.yandex.com/advanced/.

One note, because Yandex is Russian the block pages are in Russian!

Not using a tunnel?

It may be the case that your ISP provides native IPv6, which is very very cool. But it is also potentially the case that whilst they provide IPv6 they do not provide filtered IPv6 DNS. If this is the case then the best option would be to turn off the ISP filtering and instead specify your own IPv4 and IPv6 filtered DNS.

Yandex do offer IPv4 as well as IPv6 if you’re looking for consistency. Or you could look at Norton DNS, OpenDNS Family Shield, or Dyn Internet Guide.

Setting up filtered IPv6 DNS on a Routerboard

To setup filtered IPv6 DNS on a Mikrotik Routerboard in a terminal paste the following command:

set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=1024 servers=2a02:6b8::feed:a11,2a02:6b8:0:1::feed:a11

So long as advertisement is enabled on the IPv6 prefixes setup in the router then these DNS servers will be advertised to clients on the local network to use. If not all the clients support obtaining DNS via advertisement then you will need to configure DHCPv6 as well.

If you want to setup IPv4 and IPv6 filtered DNS then configure your DHCPv4 server to set the router itself as the IPv4 DNS server and then paste the following command instead, again ensuring router advertisement is enabled for IPv6.

set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=1024 servers=,,2a02:6b8::feed:a11,2a02:6b8:0:1::feed:a11

Can I trust the Russians with my DNS?

This is a valid question, instead of wondering whether you can trust a Russian company with your DNS, ask whether you trust the people who currently handle your DNS and other internet traffic.

You are no doubt a user of Google at times, probably Facebook and Twitter, and you perhaps even use Google’s own DNS. Those organisations have a lot more to gain from your browsing behaviour than Yandex does, and even more compared to what the Russian state would do with that data if you worry they would monitor you.

Ultimately this is something only you can work out, Yandex like any company has a privacy policy, but like any company, how much you can trust them is another matter. Only you can decide.