topic Re: NAT64 sending an AAAA record instead of an A record on to IPv4-LA in Network Security

NAT64 sending an AAAA record instead of an A record on to IPv4-LAN

ralfmeirsman-0 — Tue, 19 Mar 2024 11:14:38 GMT

Here is the situation:

(IPv6-LAN) * (IPv4-LAN)

*******************

ping -t www.tijd.be -> * NAT64 - Router * -> AAAA Record asking for IPV6-address

******************* resolution

* AAAA record asking for IPv6-resolution

* should be A record asking for IPv4-resolution

The router sends out an AAAA record instead of an A record. Therefore DNS server comes back with an IPv6 instead of an IPv4.

Configuration is attached. What to do?

Regards.

Re: NAT64 sending an AAAA record instead of an A record on to IPv4-LA

Harold Ritter — Tue, 19 Mar 2024 13:52:28 GMT

Hi @ralfmeirsman-0 ,

This is the expected behavior. The AAAA queries are not sent by the router, but rather by the workstation on the ipv6 LAN. NAT64 needs to be deployed along with DNS64. DNS64 will receive the AAAA query from the ipv6 LAN and perform a AAAA query. If no AAAA record is available, it will perform a A query and return a synthetic AAAA record (NAT64 prefix + IPv4 address). The router will then use this synthetic IPv6 address to perform the NAT64 translation from IPv6 to IPv4.

Most DNS servers can be configured as DNS64. Do you have a DNS64?

Regards,

Re: NAT64 sending an AAAA record instead of an A record on to IPv4-LA

ralfmeirsman-0 — Tue, 19 Mar 2024 14:27:07 GMT

No. I don't. How can I configure a DNS64 server?

Regards.

Re: NAT64 sending an AAAA record instead of an A record on to IPv4-LA

Harold Ritter — Tue, 19 Mar 2024 18:10:40 GMT

Hi @ralfmeirsman-0 ,

It depends what DNS you use. For instance, if you use BIND, you can refer to the BIND documentation to find out how to configure DNS64.

If you currently don't have your own DNS server, you could use Google public DNS64 servers.

https://developers.google.com/speed/public-dns/docs/dns64

Regards,

Re: NAT64 sending an AAAA record instead of an A record on to IPv4-LA

ralfmeirsman-0 — Tue, 19 Mar 2024 19:04:25 GMT

I will certainly try BIND.

However when I use a Google Public DNS64 server as e.g. 2001:4860:4860::6464,it is not able to reach the DNS64 server it self over the NAT64 router. It strips the NAT64 prefix 2001:4860:4860 and searches for IPv4 0.0.100.100 (0 0 : 64 64) .

How can a Public DNS64 be used in this configuration in order to be able to route to 2001:4860:4860::6464 over the IPv4 network?

Regards.

Re: NAT64 sending an AAAA record instead of an A record on to IPv4-LA

Harold Ritter — Tue, 19 Mar 2024 19:26:19 GMT

Hi @ralfmeirsman-0 ,

Sorry I thought you had connectivity to the ipv6 Internet. Accessing the Google public DNS64 servers will only work if you have ipv6 Internet connectivity.

So in your case, you will need to go with a local DNS64 server.

Regards,

Re: NAT64 sending an AAAA record instead of an A record on to IPv4-LA

Harold Ritter — Tue, 19 Mar 2024 20:24:19 GMT

Hi @ralfmeirsman-0 ,

One more thing. Without ipv6 Internet connectivity, nat64/dns64 will only work towards Internet hosts that only have a A record.

For hosts that have a AAAA record, the dns64 will return the AAAA record with the real ipv6 address. This address will be unreachable as you do not have ipv6 Internet connectivity.

For hosts that only have a A record, the dns64 will generate a synthetic AAAA record from the A response (nat64 prefix + ipv4 address), which will cause the nat64 device to translate the ipv6 traffic towards that address to ipv4.

Regards,