Re: DNS64 & nslookup

2018-04-11 Thread Rick Tillery 
I'll give those tools a try, but I don't understand how my client is
requesting an A record. It only has IPv6 networking. DNS64 should be
requesting an A record, but that the client should see is the converted
 record. Is that not right?

Rick

On Wed, Apr 11, 2018, 5:27 PM Chuck Swiger <cswi...@mac.com> wrote:

> On Apr 11, 2018, at 3:09 PM, Rick Tillery <rtilleryw...@gmail.com> wrote:
> > I appear to have my NAT64+DN64 IPv6 -> IPv4 network configured
> correctly, as I can access IPv4 only Internet sites, e.g. from my browser.
> But some tools don't seem to work the way I think they should.
> >
> > One example is nslookup.  If do nslookup ipv4.google.com, I get:
> >
> > $ nslookup ipv4.google.com
> > Server: 2001:4:1f:98::2
> > Address:2001:4:1f:98::2#53
> >
> > Non-authoritative answer:
> > ipv4.google.com canonical name = ipv4.l.google.com.
> > Name:   ipv4.l.google.com
> > Address: 216.58.218.110
> >
> > Shouldn't the address (last line) be an IPv6 address (prefixed IPv4
> address, created by NAT64, such as 64:ff9b::216.58.218.110)?
>
> Nope.  Whether your local system connects to IPv4 addresses via
> NAT64-formatted IPv6 addresses is unrelated to DNS lookups of A or 
> records.  If you ask for an A record, you will get IPv4 address(es) back or
> 0 records, not an IPv6 address.
>
> By the way, debugging DNS issues by using nslookup is difficult; try
> switching to dig and consider the results of running "dig -t a
> ipv4.l.google.com." and "dig -t  ipv4.l.google.com."
>
> Regards,
> --
> -Chuck
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS64 & nslookup

2018-04-11 Thread Rick Tillery 
I appear to have my NAT64+DN64 IPv6 -> IPv4 network configured correctly,
as I can access IPv4 only Internet sites, e.g. from my browser.  But some
tools don't seem to work the way I think they should.

One example is nslookup.  If do nslookup ipv4.google.com, I get:

$ nslookup ipv4.google.com
Server: 2001:4:1f:98::2
Address:2001:4:1f:98::2#53

Non-authoritative answer:
ipv4.google.com canonical name = ipv4.l.google.com.
Name:   ipv4.l.google.com
Address: 216.58.218.110


Shouldn't the address (last line) be an IPv6 address (prefixed IPv4
address, created by NAT64, such as 64:ff9b::216.58.218.110)?

Here is my network configuration, set up with only IPv6 (DHCP address):

$ ip a
1: lo:  mtu 6556 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: enp0s3:  mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
inet6 2001:4:1f:98::1b1/128 scope global dynamic
   valid_lft 4663sec preferred_lft 1963sec
inet6 fe80:::::/64 scope link
   valid_lft forever preferred_lft forever


Here is the named.conf.options file:

options {
directory "/var/cache/bind";
auth-nxdomain no;
listen-on-v6 { any; };
allow-query { any; };
dns64 64::ff9b::/96 {
clients { any; };
exclude { ::/0; };
};
};


Is the nslookup output correct?  And if not, is this why tools like ping,
used with a URL, can't resolve the host without being explicitly told (i.e.
with ping -6 or ping6) that the target is IPv6?

Rick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS64 & nslookup

2018-04-11 Thread Rick Tillery 
According to what I've read, that's exactly what DNS64 does. It converts A
records to  records. (For mixed networks, it just passes through 
records, but that's not in my configuration):

"DNS64 is a mechanism for synthesizing  resource records (RRs) from A
RRs." - https://tools.ietf.org/html/rfc6147

"DNS64 describes a DNS server that when asked for a domain's  records,
but only finds A records, synthesizes the  records from the A records."
- https://en.m.wikipedia.org/wiki/IPv6_transition_mechanism

Rick

On Apr 11, 2018 5:40 PM, "Chuck Swiger" <cswi...@mac.com> wrote:

On Apr 11, 2018, at 3:32 PM, Rick Tillery <rtilleryw...@gmail.com> wrote:
> I'll give those tools a try, but I don't understand how my client is
requesting an A record. It only has IPv6 networking. DNS64 should be
requesting an A record, but that the client should see is the converted
 record. Is that not right?

Nope-- DNS requests aren't going to convert an A record to a  record.

Normally, IPv6 only machines should request IPv6  records by
preference, and fall back to IPv4 A records only when IPv6 isn't
available.  However, your IPv6-only machine will route IPv4 traffic using
6-in-4 or NAT64 addressing, otherwise you'd get broken connectivity to
IPv4-only addresses.

Regards,

-- 
-Chuck
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

2 Qs: DNS64 on IPv4 & Bind Sharing VM

2018-04-03 Thread Rick Tillery 
I am creating an IPv6-only subnet to test software for IPv6 compatibility.
We just need to check that the software can function correctly in an IPv6
network, so prefixed IPv4 addresses work the same as real IPv6 addresses in
this testing.  We also don't actually need access to the IPv6 Internet,
just the IPv4 Internet, which is good, because our network connection is
only IPv4, and we have no tunnelling.

Using TAYGA as the NAT64, I have configured the subnet so that prefixed
IPv4 addresses are working, and I can reach IPv4 sites.  However, I need
DNS64 to provide name resolution to these prefixed IPv4 addresses.

Google's DNS64 server requires access to the IPv6 Internet (according to
Google on their support group), so it won't work for us.  So I have to
configure my own DNS64 server, and Bind seems like just the thing.

1.  All the documentation for DNS64 says that when a name lookup is send to
a DNS64 server, it first checks for an IPv6 address, and if one is not
available, it gets the IPv4 address, prefixes it to create an IPv6 address,
and in either case returns an  record.  But can Bind be configured on
an IPv4 domain, such that it skips the first part and just returns the
wrapped IPv4 address in an  record?

2.  I already have 2 VMs configured for my subnet, one acting as router,
and the other my NAT64.  Can Bind share the Debian TAYGA/NAT64 machine, or
do I need to create a new VM for Bind as well?

Thanks for your help!
Rick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 2 Qs: DNS64 on IPv4 & Bind Sharing VM

2018-04-03 Thread Rick Tillery 
Thank you.  I'll check that as I configure Bind (are you referencing a
specific configuration? I've seen
https://www.safaribooksonline.com/library/view/dns-and-bind/9781449308025/ch04.html
& http://ipvsix.me/?p=106).  But Bind won't throw an error if it can't
access an IPv6 network/DNS, right?

Rick

On Tue, Apr 3, 2018 at 8:36 AM, Mark Andrews <ma...@isc.org> wrote:

> Add exclude { ::/0; }; to the dns64 definition. It won’t prevent the
> lookup but will cause the  returned to be ignored.
>
> --
> Mark Andrews
>
> > On 3 Apr 2018, at 23:14, Rick Tillery <rtilleryw...@gmail.com> wrote:
> >
> > I am creating an IPv6-only subnet to test software for IPv6
> compatibility.  We just need to check that the software can function
> correctly in an IPv6 network, so prefixed IPv4 addresses work the same as
> real IPv6 addresses in this testing.  We also don't actually need access to
> the IPv6 Internet, just the IPv4 Internet, which is good, because our
> network connection is only IPv4, and we have no tunnelling.
> >
> > Using TAYGA as the NAT64, I have configured the subnet so that prefixed
> IPv4 addresses are working, and I can reach IPv4 sites.  However, I need
> DNS64 to provide name resolution to these prefixed IPv4 addresses.
> >
> > Google's DNS64 server requires access to the IPv6 Internet (according to
> Google on their support group), so it won't work for us.  So I have to
> configure my own DNS64 server, and Bind seems like just the thing.
> >
> > 1.  All the documentation for DNS64 says that when a name lookup is send
> to a DNS64 server, it first checks for an IPv6 address, and if one is not
> available, it gets the IPv4 address, prefixes it to create an IPv6 address,
> and in either case returns an  record.  But can Bind be configured on
> an IPv4 domain, such that it skips the first part and just returns the
> wrapped IPv4 address in an  record?
> >
> > 2.  I already have 2 VMs configured for my subnet, one acting as router,
> and the other my NAT64.  Can Bind share the Debian TAYGA/NAT64 machine, or
> do I need to create a new VM for Bind as well?
> >
> > Thanks for your help!
> > Rick
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users