Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
6
Replies

NAT64 sending an AAAA record instead of an A record on to IPv4-LAN

Go to solution
ralfmeirsman-0
Level 1
Level 1

‎03-19-2024 04:14 AM

Here is the situation:

                                             (IPv6-LAN) *   (IPv4-LAN)

                                                               *
                                                               *
                                                               *
                                                 *******************
  ping -t www.tijd.be    ->          *  NAT64 - Router *      -> AAAA Record asking for IPV6-address
                                                 *******************         resolution
                                                               *                           
                                                               *                       AAAA record asking for IPv6-resolution
                                                               *                       should be A record asking for IPv4-resolution
                                                               *
                                                               *
 
The router sends out an AAAA record instead of an A record. Therefore DNS server comes back with an IPv6 instead of an IPv4.
 
Configuration is attached. What to do?
 
Regards.
Preview file
3 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ralfmeirsman-0
Level 1
Level 1
In response to Harold Ritter

‎03-19-2024 12:04 PM

I will certainly try BIND.

However when I use a Google Public DNS64 server as e.g. 2001:4860:4860::6464,it is not able to reach the DNS64 server it self over the NAT64 router. It strips the NAT64 prefix 2001:4860:4860 and searches for IPv4 0.0.100.100 (0 0 : 64 64) .

How can a Public DNS64 be used in this configuration in order to be able to route to 2001:4860:4860::6464 over the IPv4 network?

Regards. 

View solution in original post

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee
In response to ralfmeirsman-0

‎03-19-2024 12:26 PM

Hi @ralfmeirsman-0 ,

Sorry I thought you had connectivity to the ipv6 Internet. Accessing the Google public DNS64 servers will only work if you have ipv6 Internet connectivity. 

So in your case, you will need to go with a local DNS64 server.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎03-19-2024 06:49 AM - edited ‎03-19-2024 06:52 AM

Hi @ralfmeirsman-0 ,

This is the expected behavior. The AAAA queries are not sent by the router, but rather by the workstation on the ipv6 LAN. NAT64 needs to be deployed along with DNS64. DNS64 will receive the AAAA query from the ipv6 LAN and perform a AAAA query. If no AAAA record is available, it will perform a A query and return a synthetic AAAA record (NAT64 prefix + IPv4 address). The router will then use this synthetic IPv6 address to perform the NAT64 translation from IPv6 to IPv4.

Most DNS servers can be configured as DNS64. Do you have a DNS64?

Regards, 

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
ralfmeirsman-0
Level 1
Level 1
In response to Harold Ritter

‎03-19-2024 07:27 AM

No. I don't. How can I configure a DNS64 server?

Regards. 

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee
In response to ralfmeirsman-0

‎03-19-2024 10:22 AM - edited ‎03-19-2024 11:10 AM

Hi @ralfmeirsman-0 ,

It depends what DNS you use. For instance, if you use BIND, you can refer to the BIND documentation to find out how to configure DNS64.

If you currently don't have your own DNS server, you could use Google public DNS64 servers.

https://developers.google.com/speed/public-dns/docs/dns64

Regards, 

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
ralfmeirsman-0
Level 1
Level 1
In response to Harold Ritter

‎03-19-2024 12:04 PM

I will certainly try BIND.

However when I use a Google Public DNS64 server as e.g. 2001:4860:4860::6464,it is not able to reach the DNS64 server it self over the NAT64 router. It strips the NAT64 prefix 2001:4860:4860 and searches for IPv4 0.0.100.100 (0 0 : 64 64) .

How can a Public DNS64 be used in this configuration in order to be able to route to 2001:4860:4860::6464 over the IPv4 network?

Regards. 

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee
In response to ralfmeirsman-0

‎03-19-2024 12:26 PM

Hi @ralfmeirsman-0 ,

Sorry I thought you had connectivity to the ipv6 Internet. Accessing the Google public DNS64 servers will only work if you have ipv6 Internet connectivity. 

So in your case, you will need to go with a local DNS64 server.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee
In response to ralfmeirsman-0

‎03-19-2024 01:24 PM

Hi @ralfmeirsman-0 ,

One more thing. Without ipv6 Internet connectivity, nat64/dns64 will only work towards Internet hosts that only have a A record. 

For hosts that have a AAAA record, the dns64 will return the AAAA record with the real ipv6 address. This address will be unreachable as you do not have ipv6 Internet connectivity.

For hosts that only have a A record, the dns64 will generate a synthetic AAAA record from the A response (nat64 prefix + ipv4 address), which will cause the nat64 device to translate the ipv6 traffic towards that address to ipv4.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card