DNS64

DNS64 is a mechanism used in IPv6 networks to facilitate communication between IPv6-only clients and IPv4-only servers. This is especially important in the context of the ongoing transition from IPv4 to IPv6. Since these are two different protocols and not directly compatible, mechanisms like DNS64 are essential for interoperability. This is accomplished in DDI Central using the DNS option dns64. Configuring dns64 option involves setting up a DNS server that can synthesize AAAA records (IPv6 addresses) from A records (IPv4 addresses) when no native AAAA records are available. This configuration is typically done on a DNS server that's designed to support DNS64 functionality.

DNS64 works by prefixing an IPv4 address with a specific IPv6 prefix. This prefix is usually a /96 prefix, which leaves room for the entire IPv4 address. A common prefix used is 64:ff9b::/96, but you can use a different one if required.

Example in ISC BIND format

• dns64 64:ff9b::/96 specifies the DNS64 prefix.
• clients { any; }; indicates that DNS64 translation should be applied to requests from all clients. You can restrict this to certain clients or networks if necessary.

Configuring DNS64 in DDI Central

To configure it select DNS-> Config-> DNS Option

• On the DNS options page, click on the Options drop down box to search for dns64 option.
• The dns64 option appears with all its attributes. Fill in the values for each attribute and click

  

Here are the attributes within the dns64 option:

netprefix: This is the IPv6 prefix that is used to synthesize AAAA records. It's typically a /96 prefix, and the IPv4 address is appended to this prefix to create the IPv6 address in the synthesized AAAA record. Example value: dns64 64:ff9b::/96 { ... };

break-dnssec: This attribute, when set, allows DNS64 to synthesize AAAA records even for DNSSEC-signed domains. This can potentially break DNSSEC validation, as the synthesized AAAA record does not actually exist in the DNS. Example value: break-dnssec yes;

clients: Specifies for which clients the DNS64 rule applies to. You can define a match list of IP addresses or subnets from which the clients are allowed to use DNS64. Example value: clients { any; };

exclude: Used to define IP address ranges for which DNS64 should not synthesize AAAA records. This is useful for networks or hosts that are reachable over native IPv6. Example value: exclude { 2001:db8::/32; };

recursive-only: When set to yes, DNS64 synthesis is performed only for recursive queries. It won’t synthesize records for authoritative answers. Example value: recursive-only yes;

mapped: This attribute controls whether DNS64 synthesis is applied to domains that have both A and AAAA records. If set, it will synthesize AAAA records even if native AAAA records exist. Example value: mapped yes;

suffix: This optional attribute specifies a suffix to append to the synthesized IPv6 address. It's rarely used as the default behavior (without a suffix) is generally preferred. Example value: suffix ::1;

Each of these attributes fine-tunes the behavior of DNS64, allowing for customization based on specific network needs, especially in environments transitioning to IPv6 or operating in dual-stack (IPv4 and IPv6) scenarios. It's important to configure these settings carefully to ensure proper network functionality and to avoid unintended disruptions, particularly with regard to DNSSEC and native IPv6 connectivity.

Click Save to see the dns64 option in effect.