Comparing DNS64 implementations

 

If you have an IPv6 network that needs to talk to an IPv4 network, you need two technologies: DNS64 and NAT64. While this sounds rare or foreign to most, it's actually quite common. For example, as of June 1, 2016, all apps submitted to the Apple App Store must support IPv6-only networks.

DNS64 Options

DNS translates user-friendly domain names (like example.com) into computer-required IP addresses (like 93.184.216.34). IP addresses generally come in two flavors: IPv4 (referenced in the DNS A record) and IPv6 (referenced in the DNS AAAA record). If you're on an IPv6 network, your DNS lookup expects an AAAA record. But what happens if you're contacting a site that only works with IPv4? Answer: you can't access the site. Bummer. Fortunately there's a workaround: DNS64 allows you to intercept AAAA requests, request the IPv4 A equivalent and stuff that response into an AAAA result that your IPv6 network can use to access the IPv4-only website. Cool! Here are some free Debian / Ubuntu examples to choose from:

Prerequisites:

I'll be using the dig tool to test so install it via: apt install dnsutils

Option #1: Dnsmasq (not recommended)

Dnsmasq doesn't (currently) have native support for DNS64 so you have to forward to a public upstream DNS64 server. Here are some popular ones. In the example below I'll use the public Google service: 2001:4860:4860::6464 and 2001:4860:4860::64

apt install dnsmasq

cat > /etc/dnsmasq.conf <<EOF

server=2001:4860:4860::6464

server=2001:4860:4860::64

EOF

systemctl restart dnsmasq

# connecting to an IPv4-only site from an IPv6 only client

dig @::1 +short ipv4.google.com AAAA | grep :

# no result - can't access IPv4 sites without NAT64

# an IPv6-only site from an IPv6 only client

dig @::1 +short ipv6.google.com AAAA | grep :

2607:f8b0:4007:817::200e

# you can still access IPv6 sites

Option #2: BIND (not ideal)

BIND is one of the oldest and well known DNS servers but is resource-heavy and performance is often slower than alternatives.

apt install bind9

sed -i '$ s/};/dns64 64:ff9b::\/96 { clients { any; }; }; };/' /etc/bind/named.conf.options

systemctl restart bind9

# connecting to an IPv4-only site from an IPv6 only client

dig @::1 +short ipv4.google.com AAAA | grep :

64:ff9b::8efb:282e

# works! you can access an IPv4-only site from your IPv6 client

# an IPv6-only site from an IPv6 only client

dig @::1 +short ipv6.google.com AAAA | grep :

2607:f8b0:4007:809::200e

# you can still access IPv6 sites

Option #3: CoreDNS

CoreDNS is a nice, modular go-based DNS server with DNS64 support.

apt install git golang-go

wget $(curl -sL https://github.com/coredns/coredns/releases/latest | grep -o -m 1 'href.*arm64.*tgz' | sed 's/href="/https:\/\/github.com/') && tar -xf coredns* && rm coredns_* && mv coredns /usr/local/bin

cat > /etc/coredns/Corefile <<EOF

. {

  forward . 2001:4860:4860::6464 2001:4860:4860::64 8.8.8.8 8.8.4.4

  dns64

}

EOF

cat > /etc/systemd/system/coredns.service <<EOF

[Unit]

Description=CoreDNS DNS server

Documentation=https://coredns.io

After=network.target

StartLimitInterval=200

StartLimitBurst=3

[Service]

PermissionsStartOnly=true

PIDFile=/etc/coredns/coredns.pid

LimitNOFILE=8192

User=root

WorkingDirectory=/etc/coredns

ExecStartPre=/sbin/setcap cap_net_bind_service=+ep /usr/local/bin/coredns

ExecStart=/usr/local/bin/coredns -pidfile /etc/coredns/coredns.pid -conf=/etc/coredns/Corefile

ExecReload=/bin/kill -SIGUSR1 \$MAINPID

Restart=always

RestartSec=10

[Install]

WantedBy=multi-user.target

EOF

systemctl start coredns

# connecting to an IPv4-only site from an IPv6 only client

dig @::1 +short ipv4.google.com AAAA | grep :

64:ff9b::8efa:442e

# works! you can access an IPv4-only site from your IPv6 client

# an IPv6-only site from an IPv6 only client

dig @::1 +short ipv6.google.com AAAA | grep :

2607:f8b0:4007:818::200e

# you can still access IPv6 sites

Option #4: Knot-Resolver

Knot-Resolver is a less common DNS server with a complicated LUA-based configuration system. It's not especially well documented and there's virtually no online community but it's blazing fast! It also has its own knot-dnsutils library with a dig replacement called kdig which is a much leaner (one third the size) install than the BIND version.

cd /tmp

wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb

dpkg -i knot-resolver-release.deb

apt update

apt install knot-resolver knot-dnsutils lua-cqueues

cat > /etc/knot-resolver/kresd.conf <<EOF

modules = {

  'policy',

  'dns64'

}

policy.add(policy.all(policy.FORWARD({'2001:4860:4860::6464', '2001:4860:4860::64', '8.8.8.8', '8.8.4.4'})))

EOF

systemctl start kresd@1

# connecting to an IPv4-only site from an IPv6 only client

kdig @::1 +short ipv4.google.com AAAA | grep :

64:ff9b::8efa:442e

# works! you can access an IPv4-only site from your IPv6 client

# an IPv6-only site from an IPv6 only client

kdig @::1 +short ipv6.google.com AAAA | grep :

2607:f8b0:4007:818::200e

# you can still access IPv6 sites

Option #5: PowerDNS (not recommended)

PowerDNS is a commercial company that open sourced their DNS server, dnsdist, in 2002. It's less common than some options above but does have good support and a strong niche community. Their DNS64 solution requires a custom LUA script, which is less elegant than the native options above.

I tried to run their DNS64 example with their quickstart guide but the service failed to run. Not worth wrestling with it since easier options exist above.

Option #6: Unbound

Unbound is popular for its audited security and technical capabilities. However, the Python dependencies make it a bit slower and resource-heavy than some of the others.

apt install unbound

cat > /etc/unbound/unbound.conf.d/dns64.conf <<EOF

server:

  do-ip6: yes

  interface: ::1

  module-config: "dns64 validator iterator"

  dns64-prefix: 64:ff9b::/96

EOF

systemctl restart unbound

# connecting to an IPv4-only site from an IPv6 only client

dig @::1 +short ipv4.google.com AAAA | grep :

64:ff9b::8efb:282e

# works! you can access an IPv4-only site from your IPv6 client

# an IPv6-only site from an IPv6 only client

dig @::1 +short ipv6.google.com AAAA | grep :

2607:f8b0:4007:809::200e

# you can still access IPv6 sites

Conclusion:

DNS64 is a useful technology, especially when paired with NAT64 (which I'll cover in another post). Of the options I've tried, CoreDNS seems easiest, Knot-Resolver seems fastest, followed by Unbound.