Re: DNS64 & nslookup
I'll give those tools a try, but I don't understand how my client is requesting an A record. It only has IPv6 networking. DNS64 should be requesting an A record, but that the client should see is the converted record. Is that not right? Rick On Wed, Apr 11, 2018, 5:27 PM Chuck Swiger <cswi...@mac.com> wrote: > On Apr 11, 2018, at 3:09 PM, Rick Tillery <rtilleryw...@gmail.com> wrote: > > I appear to have my NAT64+DN64 IPv6 -> IPv4 network configured > correctly, as I can access IPv4 only Internet sites, e.g. from my browser. > But some tools don't seem to work the way I think they should. > > > > One example is nslookup. If do nslookup ipv4.google.com, I get: > > > > $ nslookup ipv4.google.com > > Server: 2001:4:1f:98::2 > > Address:2001:4:1f:98::2#53 > > > > Non-authoritative answer: > > ipv4.google.com canonical name = ipv4.l.google.com. > > Name: ipv4.l.google.com > > Address: 216.58.218.110 > > > > Shouldn't the address (last line) be an IPv6 address (prefixed IPv4 > address, created by NAT64, such as 64:ff9b::216.58.218.110)? > > Nope. Whether your local system connects to IPv4 addresses via > NAT64-formatted IPv6 addresses is unrelated to DNS lookups of A or > records. If you ask for an A record, you will get IPv4 address(es) back or > 0 records, not an IPv6 address. > > By the way, debugging DNS issues by using nslookup is difficult; try > switching to dig and consider the results of running "dig -t a > ipv4.l.google.com." and "dig -t ipv4.l.google.com." > > Regards, > -- > -Chuck > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS64 & nslookup
I appear to have my NAT64+DN64 IPv6 -> IPv4 network configured correctly, as I can access IPv4 only Internet sites, e.g. from my browser. But some tools don't seem to work the way I think they should. One example is nslookup. If do nslookup ipv4.google.com, I get: $ nslookup ipv4.google.com Server: 2001:4:1f:98::2 Address:2001:4:1f:98::2#53 Non-authoritative answer: ipv4.google.com canonical name = ipv4.l.google.com. Name: ipv4.l.google.com Address: 216.58.218.110 Shouldn't the address (last line) be an IPv6 address (prefixed IPv4 address, created by NAT64, such as 64:ff9b::216.58.218.110)? Here is my network configuration, set up with only IPv6 (DHCP address): $ ip a 1: lo:mtu 6556 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff inet6 2001:4:1f:98::1b1/128 scope global dynamic valid_lft 4663sec preferred_lft 1963sec inet6 fe80:::::/64 scope link valid_lft forever preferred_lft forever Here is the named.conf.options file: options { directory "/var/cache/bind"; auth-nxdomain no; listen-on-v6 { any; }; allow-query { any; }; dns64 64::ff9b::/96 { clients { any; }; exclude { ::/0; }; }; }; Is the nslookup output correct? And if not, is this why tools like ping, used with a URL, can't resolve the host without being explicitly told (i.e. with ping -6 or ping6) that the target is IPv6? Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS64 & nslookup
According to what I've read, that's exactly what DNS64 does. It converts A records to records. (For mixed networks, it just passes through records, but that's not in my configuration): "DNS64 is a mechanism for synthesizing resource records (RRs) from A RRs." - https://tools.ietf.org/html/rfc6147 "DNS64 describes a DNS server that when asked for a domain's records, but only finds A records, synthesizes the records from the A records." - https://en.m.wikipedia.org/wiki/IPv6_transition_mechanism Rick On Apr 11, 2018 5:40 PM, "Chuck Swiger" <cswi...@mac.com> wrote: On Apr 11, 2018, at 3:32 PM, Rick Tillery <rtilleryw...@gmail.com> wrote: > I'll give those tools a try, but I don't understand how my client is requesting an A record. It only has IPv6 networking. DNS64 should be requesting an A record, but that the client should see is the converted record. Is that not right? Nope-- DNS requests aren't going to convert an A record to a record. Normally, IPv6 only machines should request IPv6 records by preference, and fall back to IPv4 A records only when IPv6 isn't available. However, your IPv6-only machine will route IPv4 traffic using 6-in-4 or NAT64 addressing, otherwise you'd get broken connectivity to IPv4-only addresses. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
2 Qs: DNS64 on IPv4 & Bind Sharing VM
I am creating an IPv6-only subnet to test software for IPv6 compatibility. We just need to check that the software can function correctly in an IPv6 network, so prefixed IPv4 addresses work the same as real IPv6 addresses in this testing. We also don't actually need access to the IPv6 Internet, just the IPv4 Internet, which is good, because our network connection is only IPv4, and we have no tunnelling. Using TAYGA as the NAT64, I have configured the subnet so that prefixed IPv4 addresses are working, and I can reach IPv4 sites. However, I need DNS64 to provide name resolution to these prefixed IPv4 addresses. Google's DNS64 server requires access to the IPv6 Internet (according to Google on their support group), so it won't work for us. So I have to configure my own DNS64 server, and Bind seems like just the thing. 1. All the documentation for DNS64 says that when a name lookup is send to a DNS64 server, it first checks for an IPv6 address, and if one is not available, it gets the IPv4 address, prefixes it to create an IPv6 address, and in either case returns an record. But can Bind be configured on an IPv4 domain, such that it skips the first part and just returns the wrapped IPv4 address in an record? 2. I already have 2 VMs configured for my subnet, one acting as router, and the other my NAT64. Can Bind share the Debian TAYGA/NAT64 machine, or do I need to create a new VM for Bind as well? Thanks for your help! Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 2 Qs: DNS64 on IPv4 & Bind Sharing VM
Thank you. I'll check that as I configure Bind (are you referencing a specific configuration? I've seen https://www.safaribooksonline.com/library/view/dns-and-bind/9781449308025/ch04.html & http://ipvsix.me/?p=106). But Bind won't throw an error if it can't access an IPv6 network/DNS, right? Rick On Tue, Apr 3, 2018 at 8:36 AM, Mark Andrews <ma...@isc.org> wrote: > Add exclude { ::/0; }; to the dns64 definition. It won’t prevent the > lookup but will cause the returned to be ignored. > > -- > Mark Andrews > > > On 3 Apr 2018, at 23:14, Rick Tillery <rtilleryw...@gmail.com> wrote: > > > > I am creating an IPv6-only subnet to test software for IPv6 > compatibility. We just need to check that the software can function > correctly in an IPv6 network, so prefixed IPv4 addresses work the same as > real IPv6 addresses in this testing. We also don't actually need access to > the IPv6 Internet, just the IPv4 Internet, which is good, because our > network connection is only IPv4, and we have no tunnelling. > > > > Using TAYGA as the NAT64, I have configured the subnet so that prefixed > IPv4 addresses are working, and I can reach IPv4 sites. However, I need > DNS64 to provide name resolution to these prefixed IPv4 addresses. > > > > Google's DNS64 server requires access to the IPv6 Internet (according to > Google on their support group), so it won't work for us. So I have to > configure my own DNS64 server, and Bind seems like just the thing. > > > > 1. All the documentation for DNS64 says that when a name lookup is send > to a DNS64 server, it first checks for an IPv6 address, and if one is not > available, it gets the IPv4 address, prefixes it to create an IPv6 address, > and in either case returns an record. But can Bind be configured on > an IPv4 domain, such that it skips the first part and just returns the > wrapped IPv4 address in an record? > > > > 2. I already have 2 VMs configured for my subnet, one acting as router, > and the other my NAT64. Can Bind share the Debian TAYGA/NAT64 machine, or > do I need to create a new VM for Bind as well? > > > > Thanks for your help! > > Rick > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users