16.3 DNS64 and NAT64
16.3.1 Oveview
The DNS64 function converts the DNS AAAA queries sent from IPv6 clients to DNS A queries and then converts the DNS A responses to DNS AAAA responses. This ensures that IPv6 clients can access IPv4 servers. The FortiBalancer appliance returns the translated IPv6 addresses to IPv6 clients. When IPv6 clients use these IP addresses to access IPv6 servers, the NAT64 (Network Address Translation IPv6 to IPv4) function converts the IPv6 packets sent from these clients to IPv4 packets. When the FortiBalancer appliance receives IPv4 packets from IPv4 servers, the NAT64 function converts IPv4 packets to IPv6 packets. This ensures that IPv6 clients can communicate with IPv4 servers normally. The DNS64 and NAT64 functions can be deployed on two FortiBalancer appliances separately, or deployed on one FortiBalancer appliance.
16.3.2 Working Mechanism
The DNS64 and NAT64 functions are applicable to the “IPv6 to IPv4” scenario, as shown in the following figure.
Figure 16-2 “IPv6 to IPv4” Application Scenario The working process of the DNS64 and NAT64 functions is as follows:
- An IPv6 client (2012:1081::a03:30b) sends a DNS AAAA query to the FortiBalancer appliance (2012:1001::3ff:40b) to resolve the domain name “www.example.com”.
- The FortiBalancer appliance sends the DNS AAAA query to the DNS AAAA authoritative server for the domain name.
- If the DNS AAAA authoritative server has no AAAA record for the domain name, it will return an empty DNS AAAA response to the FortiBalancer appliance. The FortiBalancer appliance will ignore this response.
- The FortiBalancer appliance waits for 100 ms after sending the DNS AAAA query. If the FortiBalancer appliance does not receive any valid DNS AAAA response, it will send a DNS A query to the DNS A authoritative server for the domain name.
- The FortiBalancer appliance receives the DNS A response (for example, A: www.example.com – 192.168.2.10) from the DNS A authoritative server.
- The FortiBalancer appliance converts the DNS A response to a DNS AAAA response (for example, AAAA: example.com – 64:ff9b::192.168.2.10) by adding the configured IPv6 prefix. Then, the FortiBalancer appliance returns the converted DNS AAAA response to the IPv6 client.
- The IPv6 client uses the converted IPv6 address to access “www.example.com”.
- The FortiBalancer appliance converts the IPv6 packet (src: 2012:1081::a03:30b; dst:
64:ff9b::192.168.2.10) sent from the client to an IPv4 packet (src: 192.168.2.1; dst: 192.168.2.10), and sends the IPv4 packet to the target IPv4 server.
Figure 16-3 NAT64 Address Translation
- The IPv4 sever returns an IPv4 packet (src: 192.168.2.10; dst: 192.168.2.1) to the FortiBalancer appliance.
- The FortiBalancer appliance converts the IPv4 packet to an IPv6 packet (src:
64:ff9b::192.168.2.10; dst: 2012:1081::a03:30b) and returns the IPv6 packet to the IPv6 client.
16.3.3 Application Notes
The DNS64 function can be enabled on only one DNS virtual service. This virtual service, acting as the DNS proxy, converts DNS AAAA queries to DNS A queries and then converts DNS A responses to DNS AAAA responses.
To make the DNS64 function work properly, you need to configure the “default” and “backup” policies for this virtual service. The FortiBalancer appliance forwards DNS AAAA queries based on the “default” policy and forwards DNS A queries based on the “backup” policy. Therefore, the real servers associated with the “default” policy should be DNS servers that can answer AAAA records, and those associated with the “backup” policy should be DNS servers that can answer A records.
16.3.4 Configuring DNS64 and NAT64
- web UI:
- Select System Configuration > Advanced Networking > IP Pool. In the Add IP Pool area, specify the required parameters and click the Add action link to save the configuration.
- Select Server Load Balance > Real Services > Real Services. In the SLB Real Services Configuration area, click the Add Real Service Entry action link. In the Add
Real Service Entry area of displayed page, specify the required parameters and click Save to save the configuration.
- Select Server Load Balance > Groups > Groups. In the Add Group area, specify the required parameters and click the Add action link. In Groups List, double-click the newly added group. In the Group Members area of the displayed page, click the Add action link. In the Add Group Member area of the displayed page, specify the required parameters and click Save to save the configuration.
- Select Server Load Balance > Virtual Services > Virtual Services. In the Add Virtual Service area, specify the required parameters and click the Add action link. In
Virtual Service List, double-click the newly added virtual service. In the Associate
Groups area of the displayed page, associate the virtual service with the “default” or “backup” policy and click the Add action link.
- Select System Configuration > NAT > V4/V6 NAT. In the DNS64 Configuration area, specify the required parameters and click the Set action link to save the configuration.
- In the NAT64 Configuration area, specify the required parameters and click the Set action link to save the configuration.
- CLI:
- Execute the following command to add an IPv4 address pool:
ip pool <pool_name> <start_ip> [end_ip]
For example:
FortiBalancer(config)#ip pool NAT64_pool 192.168.2.1
- Execute the following commands to complete SLB configurations:
slb real dns <real_name> <ip> <port> [max_conn]
[dns|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns|none] [hc_up] [hc_down] [timeout] slb real enable <real_name> slb group method <group_name> [algorithm] slb group member <group_name> <real_name> [weight|cookie|url] [priority] slb virtual dns <virtual_name> <vip> [vport] [arp|noarp] [max_conn] slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy backup {virtual_name|vlink_name} {group_name|vlink_name} |
For example:
FortiBalancer(config)#slb real dns dns_rs1 192.168.2.2
FortiBalancer(config)#slb real dns dns_rs2 192.168.2.3
FortiBalancer(config)#slb group method g1 rr
FortiBalancer(config)#slb group member g1 dns_rs1
FortiBalancer(config)#slb group method g2 rr
FortiBalancer(config)#slb group member g2 dns_rs2
FortiBalancer(config)#slb virtual dns dns_vs1 2012:1001::3ff:40b
FortiBalancer(config)#slb policy default dns_vs1 g1
FortiBalancer(config)#slb policy backup dns_vs1 g2
FortiBalancer(config)#slb real enable dns_rs1
FortiBalancer(config)#slb real enable dns_rs2
Note: The DNS virtual service on which the DNS64 function is enabled can be associated with groups by using the “default” or “backup” policy only.
- Execute the following commands to configure the DNS64 function:
ipv6 dns64 on <vs_name> ipv6 dns64 prefix <dns64_prefix> For example:
FortiBalancer(config)#ipv6 dns64 on dns_vs1
FortiBalancer(config)#ipv6 dns64 prefix “64:ff9b::”
- Execute the following commands to configure the NAT64 function:
ipv6 nat64 on
ipv6 nat64 ippool <ipv4_pool_name> ipv6 nat64 prefix <nat64_prefix> ipv6 nat64 timeout <idle_timeout>
For example:
FortiBalancer(config)#ipv6 nat64 on
FortiBalancer(config)#ipv6 nat64 ippool NAT64_pool
FortiBalancer(config)#ipv6 nat64 prefix “64:ff9b::”
FortiBalancer(config)#ipv6 nat64 timeout 300
Note: If the DNS64 and NAT64 functions need to work together on one
FortiBalancer appliance, make sure that the values of the parameters “dns64_prefix” and “nat64_prefix” are the same.
Hello,
Figures are missing.
Could you upload them again ?
Thanks
Eric