IPv6-only Your Network: Cheap and Easy

The new trend for IPv6 migrations lately is going fully to IPv6, or IPv6-only.  This means that your transition plan is IPv4 one day, and then you change and roll-out a single IP stack: to IPv6.  You may be thinking, “but how is that possible considering most of the Internet is IPv4-only still?”  The answer is simple: NAT64 and DNS64. 

NAT64 and DNS64

Back in 2010/2011, the Internet Engineering Task Force (IETF) developed the standard for doing translation from IPv6 to IPv4: RFC 6146.  The big problems solved by previous standards was DNS. In previous standards and implementations was the there wasn’t a real DNS function for NAT.  When a user makes a DNS request to the DNS resolver enabled with NAT64/DNS64, it will respond with only a AAAA DNS record for an IPv4 address.  If the server already has IPv6, then it will send the DNS requester the original IPv6 address.  For example, if I make a DNS query to an IPv4-only server using standard DNS, it will respond with any A or AAAA records the server has.

Default Server: UnKnown
Address: 2001:470:e073:101:1:101:c1:17

> www.verizon.com
Server: UnKnown
Address: 2001:470:e073:101:1:101:c1:17

Non-authoritative answer:
Name: cs87.can.transactcdn.com
Aliases: www.verizon.com

As you can see, the standard DNS server responded with its IPv4 A record:  However, if I make a DNS query to a DNS64/NAT64 resolver it will respond with an IPv6 AAAA record.

server 2001:470:e5bf:dead::254
Default Server: [2001:470:e5bf:dead::254]
Address: 2001:470:e5bf:dead::254

> www.verizon.com
Server: [2001:470:e5bf:dead::254]
Address: 2001:470:e5bf:dead::254

Non-authoritative answer:
Name: cs87.can.transactcdn.com
Addresses: 2001:470:e5bf:64::c010:1f59
Aliases: www.verizon.com

Here the server responds with an IPv6 AAAA record with an address: 2001:470:e5bf:64::c010:1f59.  This is where the magic comes in. Under RFC 6052, the DNS server uses an algorithm to change the IPv4 address and add it to the last 32 bits of the IPv6 prefix.  So in the example above, the IPv6 prefix dedicated to the IPv4 to IPv6 translation is 2001:470:e5bf:64:0::/96.  The DNS server appends the IPv4 address using this algorithm to the prefix and sends it back to the requesting host.  So how do we setup the voodoo magic?

Tayga NAT64 for Linux (Ubuntu 18.04)

An easy and open source solution for this is Tayga.  You can install it on a virtual machine or any general purpose Linux OS.  Basic install instructions below along with the DNS64 part using Bind9 (reference RFC 6146).

  • Install the prerequisites for Ubuntu 18.04:
    • apt install build-essentials bind9
  • configure the server to forward an route IPv4 and IPv6 packets:
    • vim /etc/sysctl.conf
    • add the following:
      • net.ipv4.ip_forward=1
      • net.ipv6.conf.all.forwarding=1
    • then run the command after saving the file: sysctl -p
  • download the Tayga source (current version is 0.9.2: http://www.litech.org/tayga/tayga-0.9.2.tar.bz2
  • run these commands as root:
    • bzip2 -dk tayga-0.9.2.tar.bz2
    • tar -xvf tayga-0.9.2.tar
    • cd tayga-0.9.2
    • ./configure *make sure to fix any dependencies that Tayga requires
    • make
    • make install
  • Once installed, make a new directory for the IP address NAT mapping: mkdir -p /var/db/tayga
  • Now we need to add all our specific variables in the config file: vim /usr/local/etc/tayga.conf
    • tun-device nat64
    • ipv4-addr *change this to match the tunneled IPv4 address you’ll use – make sure it’s in the dynamic pool
    • prefix 2001:470:e5bf:64::/96 *change this to add your IPv6 prefix you’ll use – make sure it’s globally routable
    • dynamic-pool *change this to match the IPv4 address pool you are using
    • data-dir /var/db/tayga
  • Now, let’s get the application going – run these commands:
    • tayga –mktun
    • ip link set nat64 up
    • ip route add dev nat64 *change to match your IPv4 subnet/pool
      ip route add 2001:470:e5bf:64::/96 dev nat64 *change this to match your IPv6 pool
    • tayga

DNS64 – Bind9

  • vim /etc/bind/named.conf.options
  • add the following – change to match your IPv6 prefix:
dnssec-validation no;

auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
allow-query { any; };
dns64 2001:470:e5bf:64::/96 { clients { any; }; };
  • now start the service:
    • systemctl enable bind9
    • systemctl restart bind9

Test it out

Make sure this server’s IPv6 address is set as your resolver:

  • ensure you can resolve the IPv6 AAAA record of an IPv4 host
  • then connect and use – you are now IPv6-only

Please contact us for any of your IPv6 training, consulting or IPv6-only implementation needs!





Scroll to Top