Avatar of MNESupport
MNESupport
 asked on

To Disable IPV6 or Not

We recently had a security audit in our environment. One of the findings was that we do not have IPV6 configured on our dhcp server but ipv6 is still enabled. This could be an issue with the MITM6 exploit.  It was recommended to either disable IPV6 all together OR to configure DHCP and DNS servers to be able to handle IPv6 so that a rogue DNS server couldn't take over endpoint settings. Im finding alot of conflicting articles about disabling it or not. Does anyone have any experience good or bad for either option? I know Microsoft is strongly against disabling it. 

DHCPDNS* IPv6* IPv4Security

Avatar of undefined
Last Comment
MNESupport

8/22/2022 - Mon
Paul MacDonald

IPv6 is the future, but not every network needs it or needs it right now.  If you don't have the time or inclination to support it, turn it off for the time being.  You can always turn it on again when you're ready or it becomes manditory.

Dr. Klahn

I agree with Paul's comment above.  IPv6 is not at this time needed for a private LAN behind a firewall.  IPv4 is much easier to manage and the knowledge of how to do so is widespread, which cant be said about IPv6.
DEMAN-BARCELO (MVP) Thierry

Microsoft tests all its software with IPv6 enabled.
But, it is not a requirement for any MS software except DirectAccess.

When configuring AD and Exchange, I have seen many problems corrected by disabling IPv6, and very rarely some repaired by activating IPv6.

The rule should be: if IPv6 is disabled on Domain controllers, you should disable it on other servers.
If IPv6 is enabled on Domain controllers, you CAN let it and use it on servers.

Now, configuring DHCPv6 does not help. IPv6 works well without DHCP.
If you configure DHCPv6, Dhcp clients will have a IPv6 given by DHCP and another IPv6 obtained by default. It is simply a little more complicated to manage. So, I don't advice to do so.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
MNESupport

ASKER
Thank you all for the additional insight. I think we are leaning toward disabling IPv6
ASKER CERTIFIED SOLUTION
MNESupport

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question