Add option to suppress default IPv6 DNS (Option 23) in Dnsmasq #9629
Description
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Is your feature request related to a problem? Please describe.
For the purpose of fine-grained control over IPv6 network advertisements, I am missing a solution that will allow users to opt-out of the automatic IPv6 DNS (Option 23) announcement in Dnsmasq.
Currently, the Dnsmasq template (dnsmasq.conf) automatically appends dhcp-option=option6:23,[::] if no global IPv6 DNS is defined. While this is a helpful fallback for many, it can be problematic in specific network environments (e.g., preventing DNS leaks, managing complex multi-stack DNS resolution, or troubleshooting specific client-side behaviors) where the administrator explicitly wants no IPv6 DNS to be advertised via DHCPv6.
Describe the solution you like
I would like a toggle or a specific configuration pattern in the Services -> Dnsmasq DNS -> Settings (or DHCP Options) UI that prevents the template from generating the default option6:23,[::] entry.
Ideally, the template logic could be updated to recognize a "None" or "Disabled" state. For instance, if a specific flag is set, the following block in the template should be skipped:
{% if not has_default_v6 %}
dhcp-option=option6:23,[::]
{% endif %}
Describe alternatives you considered
One technical workaround I've come across (referenced in Dnsmasq mailing lists) is using a tag-based empty definition to suppress the option, such as: dhcp-option=tag:dnsv6,option6:23 (without providing an address).
However, a native checkbox in the OPNsense WebUI or allowing an "Empty/None" value in the DHCP Options list would be a much more user-friendly and "the OPNsense way" to handle this.
Additional context
This request stems from the observation that the current template enforces a "fallback to self" policy for IPv6 DNS which cannot be easily overridden through the GUI without actually providing an alternative DNS address. Providing an option to "Suppress default IPv6 DNS" would align Dnsmasq's behavior with the flexibility found in other OPNsense services.