lost and found ( for me ? )

BIND : DNS64

[ What’s DNS64 and NAT64 ]

This technique enables a client which has only IPv6 addresses to access to IPv4 servers.

DNS64 : convert DNS reply from A to AAAA(DNS64)
NAT64 : do NAT from IPv6 to IPv4

IPv6 client  -------  BIND configured DNS64  ----------- DNS Auth
        |
        ----------NAT64  -----------------  IPv4 servers
             ( IP NAT )
<--- IPv6 -----------------> <--------- IPv4 ----------->

If you want to know more details about DNS64 and NAT64 , plz see the following PDFs.
http://www.viagenie.ca/publications/2010-06-03-terena-nat64.pdf
http://fud.no/talks/20110524-IPv6_Forum_Norway-Life_Without_IPv4.pdf

Technique of DNS64 and NAT64 is :

IPv6 client sends AAAA queries to Cache DNS
Cache DNS sends AAAA queries to Auth DNS
Auth DNS returns empty answers ( there are no AAAA records )
Cache DNS sends A queries to Auth DNS
Auth DNS returns A answers
Cache DNS converts DNS answers from A to AAAA(DNS64) for IPv6 client
Cache DNS returns DNS64 answers to IPv6 client
IPv6 client accesses to IPv4 server via NAT64 device

[ How to configure DNS64 ]

BIND 9.8 has implemented DNS64.

Here’s an example of how to configure DNS64 in BIND 9.8.0-P2

You can configure DNS64 options in options statement or view statement.
options {
    dns64 64:FF9B::/96 {
    clients {
            any;
    };
    mapped { any; };
    suffix ::;
    recursive-only yes;
    break-dnssec yes;
};


before configuring DNS64
# dig @::1 www.amazon.co.jp aaaa

; <<>> DiG 9.8.0-P2 <<>> @::1 www.amazon.co.jp aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55804
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.amazon.co.jp.           IN   AAAA

;; AUTHORITY SECTION:
www.amazon.co.jp.    1       IN   SOA ns-911.amazon.com. dns.amazon.com. 1309754598 3600 900 7776000 60


after configuring DNS64
# dig @::1 www.amazon.co.jp aaaa

; <<>> DiG 9.8.0-P2 <<>> @::1 www.amazon.co.jp aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;www.amazon.co.jp.           IN   AAAA

;; ANSWER SECTION:
www.amazon.co.jp.    1       IN   AAAA 64:ff9b::cfab:b587

;; AUTHORITY SECTION:
www.amazon.co.jp.    3606    IN   NS   ns-912.amazon.com.
www.amazon.co.jp.    3606    IN   NS   ns-911.amazon.com.
www.amazon.co.jp.    3606    IN   NS   ns-921.amazon.com.
www.amazon.co.jp.    3606    IN   NS   ns-923.amazon.com.


64:ff9b is a prefix
cfab:b587 is 207.171.181.135 ( = IPv4 address of www.amazon.co.jp )
# ipv6calc --quiet --action conv6to4 207.171.181.135 | awk -F: '{print $2,$3}'
cfab b587


Here’s an output of capture data when I did “dig @::1 www.amazon.co.jp aaaa”

BIND send A query and received an answer from NS of amazon.co.jp
Questions: 1
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Queries
    www.amazon.co.jp: type A, class IN
        Name: www.amazon.co.jp
        Type: A (Host address)
        Class: IN (0x0001)
Answers
    www.amazon.co.jp: type A, class IN, addr 207.171.185.225
        Name: www.amazon.co.jp
        Type: A (Host address)
        Class: IN (0x0001)
        Time to live: 1 minute
        Data length: 4
        Addr: 207.171.185.225


convert a DNS reply from A to DNS64 and return DNS64(AAAA) answer to a resolver.
Queries
    www.amazon.co.jp: type AAAA, class IN
        Name: www.amazon.co.jp
        Type: AAAA (IPv6 address)
        Class: IN (0x0001)
Answers
    www.amazon.co.jp: type AAAA, class IN, addr 64:ff9b::cfab:b9e1
        Name: www.amazon.co.jp
        Type: AAAA (IPv6 address)
        Class: IN (0x0001)
        Time to live: 1 second
        Data length: 16
        Addr: 64:ff9b::cfab:b9e1
Authoritative nameservers
    www.amazon.co.jp: type NS, class IN, ns ns-911.amazon.com
        Name: www.amazon.co.jp
        Type: NS (Authoritative name server)
        Class: IN (0x0001)
        Time to live: 1 hour, 6 seconds
        Data length: 19
        Name server: ns-911.amazon.com

5 comments:

  1. Hi,

    I am using BIND 9.8 and configured it as DNS64 recursively. Now it is working when there are no AAAA answers. Unable to browse website that has AAAA answers.

    Thanks

    ReplyDelete
  2. hi

    does nat64 required for this?

    ReplyDelete
  3. Hello,

    Yes , NAT64 boxes are requried.

    Thanks

    ReplyDelete
  4. U mean NAT64 is in Recursive dns server itself or any network equipment?

    ReplyDelete
  5. Hi,

    NAT64 is a network equipment , so you need to prepare DNS64(BIND) and NAT64 box separetly.
    Technically you can install both DNS64 and NAT64 functions in one Linux box.
    However it's general deployment to put DNS64 box and NAT64 box separetly in production network.


    DNS64 NAT64 - YouTube by Spirent Communications
    http://www.youtube.com/watch?v=uGxPWUC9i3U

    Thw followings is Linux NAT64 software.
    for example , prepare two Linux boxes , one is in BIND for DNS64 and the other is in Tayga or Ecdysis for NAT64.

    NAT64 for Linux
    http://www.litech.org/tayga/

    Ecdysis: open-source implementation of a NAT64 gateway
    http://ecdysis.viagenie.ca/

    Thanks

    ReplyDelete

Note: Only a member of this blog may post a comment.