01-22-2017 08:11 AM - edited 03-01-2019 05:52 PM
I currently have a dual-stacked network behind a Cisco ASA 5512-X. We have both IPv4 and IPv6 internet connectivity. The goal is to be able to get rid of the IPv4 internal network altogether and only use IPv6 internally. In order to do this, we need to configure NAT64 and DNS64. I understand how to configure NAT64 on the Cisco ASA 5512-X. What I don't understand is how to successfully deploy DNS64 within the office network. We can't simply use online DNS64 servers like the ones Google provides, because internal hosts need to be able to resolve AD domain queries, like server1.mycompany.com. This leaves me with my main question: How can I deploy a DNS64 solution on my internal IPv6 network? Can I somehow do this on the Cisco ASA (doubt it), can I do this on my Windows AD servers (All I see online are solutions using DirectAccess, which I don't want to use), can I use a Linux DNS64 server with BIND?
The overall goal is this:
- My host queries for www.website.com.
- If an AAAA record exists, it is returned to the host.
- If an AAAA record does not exist, and an A record exists, the A record is returned.
- The A record is converted to an AAAA record (By the ASA or by the DNS64 server, I'm not sure how this would work exactly)
- The host gets the converted AAAA record
- The host browses to the simulated IPv6 address.
- The Cisco ASA uses NAT64 to connect the IPv6 host to the IPv4 Internet server.
Most solutions I see online incorporate the same device handling both NAT64 and DNS64. Does this have to be the case? Can the ASA not handle NAT64, while a separate server on the internal network handles DNS64 services?
01-22-2017 04:00 PM
Can't you just point your clients at your AD controllers, and then point the AD controllers (their forwarders configuration) to the Google DNS64 servers?
01-22-2017 04:26 PM
You know what? That might work. And it's so simple that if it does, I will kick myself, lol. I'll give that a try and reply with my findings.
01-22-2017 04:26 PM
It also means you can configure conditional forwarders if you find some domains that are
"plain broken" so you can override them.
04-06-2017 10:12 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide