DNS64

DNS64

 What is DNS64?

DNS64 is a mechanism used in IPv6 networks to facilitate communication between IPv6-only clients and IPv4-only servers. This is especially important in the context of the ongoing transition from IPv4 to IPv6. Since these are two different protocols and not directly compatible, mechanisms like DNS64 are essential for interoperability. This is accomplished in ME DDI using the DNS option dns64.

Configuring dns64 option involves setting up a DNS server that can synthesize AAAA records (IPv6 addresses) from A records (IPv4 addresses) when no native AAAA records are available. This configuration is typically done on a DNS server that's designed to support DNS64 functionality.

DNS64 works by prefixing an IPv4 address with a specific IPv6 prefix. This prefix is usually a /96 prefix, which leaves room for the entire IPv4 address. A common prefix used is 64:ff9b::/96, but you can use a different one if required.

Example in ISC BIND format

options {
    // other options...
    dns64 64:ff9b::/96 {
        clients { any; };
        // more specific configurations if needed
    };
};

In this configuration:

  • dns64 64:ff9b::/96 specifies the DNS64 prefix.

  • clients { any; }; indicates that DNS64 translation should be applied to requests from all clients. You can restrict this to certain clients or networks if necessary.

 Configuring DNS64 in DDI 

To configure it select DNS-> Config-> DNS Options

  • On the DNS options page, click on the Options drop down box to search for dns64 option.

  • The dns64 option appears with all its attributes. Fill in the values for each attribute and click Save.

 

Here are the attributes within the dns64 option:

netprefix: This is the IPv6 prefix that is used to synthesize AAAA records. It's typically a /96 prefix, and the IPv4 address is appended to this prefix to create the IPv6 address in the synthesized AAAA record. Example value: dns64 64:ff9b::/96 { ... };

break-dnssec: This attribute, when set, allows DNS64 to synthesize AAAA records even for DNSSEC-signed domains. This can potentially break DNSSEC validation, as the synthesized AAAA record does not actually exist in the DNS. Example value: break-dnssec yes;

clients: Specifies for which clients the DNS64 rule applies to. You can define a match list of IP addresses or subnets from which the clients are allowed to use DNS64. Example value: clients { any; };

exclude: Used to define IP address ranges for which DNS64 should not synthesize AAAA records. This is useful for networks or hosts that are reachable over native IPv6. Example value: exclude { 2001:db8::/32; };

recursive-only: When set to yes, DNS64 synthesis is performed only for recursive queries. It won’t synthesize records for authoritative answers. Example value: recursive-only yes;

mapped: This attribute controls whether DNS64 synthesis is applied to domains that have both A and AAAA records. If set, it will synthesize AAAA records even if native AAAA records exist. Example value: mapped yes;

suffix: This optional attribute specifies a suffix to append to the synthesized IPv6 address. It's rarely used as the default behavior (without a suffix) is generally preferred. Example value: suffix ::1;

Each of these attributes fine-tunes the behavior of DNS64, allowing for customization based on specific network needs, especially in environments transitioning to IPv6 or operating in dual-stack (IPv4 and IPv6) scenarios. It's important to configure these settings carefully to ensure proper network functionality and to avoid unintended disruptions, particularly with regard to DNSSEC and native IPv6 connectivity.

Click Save to see the dns64 option in effect.



      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • Managing DNS Views

                      What are DNS views? DNS views or Domain views serve different responses to DNS queries based on various criteria, most commonly the source of the query or the host accessing it. This indicates that the DNS server can present one set of DNS ...

                    • DNS query analytics

                      DNs analytics dashboard provides a network administrator with quick insights into the DNS and leased IP activity related to a particular domain or network segment. It helps in monitoring network usage, identifying potential issues, and understanding ...

                    • Managing DNS resource records

                      What are domain Resource Records (RR)? Resource Records (RRs) are the fundamental information elements of the Domain Name System (DNS). Each RR defines a specific piece of information about the domain. Here are the general components of an RR: Name: ...

                    • DNS Audit Logs

                      ManageEngine enables you to view the audit logs of specific domains Select the DNS menu from the menu bar along the left side of the screen.From the submenus that appear, choose Audit. The Audit page helps you to continuously evaluate the overall ...

                    • Domain blocking using DNS Firewall

                      Domain blocking using a DNS Firewall is a security measure that prevents users from accessing specific websites or domains by intercepting DNS queries and filtering out requests to undesired or malicious domains. When a user attempts to visit a ...

                      Related Products