Ecdysis: open-source implementation of a NAT64 gateway

Project
 Why NAT64?
 Download Instructions News
Network Experiment
Mailing list/Contact

Instructions

Standalone DNS translator

Instructions for stand-alone implementation:

# This is a very simple implementation of DNS64. It listens for DNS queries on
# on UDP port 53. It relays the query. When the answer section of an AAAA query
# response is empty, it generates an A query and converts the A records into
# AAAA records, prefixing them with the DNS64 prefix (configured below).
#
#
# Bugs:
#
#  - It is slow. We don't care, that's not the point. The point is to be able to
#    experiment in a quick prototyping language (in this case, Perl).
#
#  - Error handling is deficient. We also don't care. What's important is to not
#    clutter the code with error handling statements. Only the bare minimum is
#    included.
#
#  - Only a single request is processed at a time. This is a variant of "slow"
#    above.
#
#
# Notes:
#
#  - Some modules are needed. To install them using CPAN, use the following:
#
#      # perl -MCPAN -e 'install IO::Socket::INET6 Net::DNS NetAddr::IP::Util'
#
#  - Remember that it is necessary to run as root to bind to port 53 on many
#    systems.

All configuration parameters are at the top of the Perl source code.

- Set the $PREF64 variable to your DNS64 prefix. It must be a /96 or shorter.
For example:

    my $PREF64 = "64:FF9B::/96";

- By default, requests are forwarded to the system-configured DNS servers
(usually in /etc/resolv.conf). If you want to change this, edit the
@NAMESERVERS array. For example:

    my @NAMESERVERS = qw(2620:0:230:8000::2 206.123.31.2);

To test that things are working right, perform a query against dns64.pl for a
domain name for which no AAAA record exists. You should see a AAAA record in
the answer section. The corresponding IPv6 address will be inside the DNS64
prefix. For example:

    $ ./dns64.pl &
    $ dig @localhost jazz-v4.viagenie.ca aaaa
    [...]
    ;; ANSWER SECTION:
    jazz-v4.viagenie.ca.        86400   IN      AAAA    64:ff9b::ce7b:1f02


Unbound

To enable DNS64 functionality in Unbound, two directives in unbound.conf must
be edited:

1. The "module-config" directive must start with "dns64". For example:

    module-config: "dns64 validator iterator"

If you're not using DNSSEC then you may remove "validator".

2. The "dns64-prefix" directive indicates your DNS64 prefix. For example:

    dns64-prefix: 64:FF9B::/96

The prefix must be a /96 or shorter.

To test that things are working right, perform a query against Unbound for a
domain name for which no AAAA record exists. You should see a AAAA record in
the answer section. The corresponding IPv6 address will be inside the DNS64
prefix. For example:

    $ unbound -c unbound.conf
    $ dig @localhost jazz-v4.viagenie.ca aaaa
    [...]
    ;; ANSWER SECTION:
    jazz-v4.viagenie.ca.        86400   IN      AAAA    64:ff9b::ce7b:1f02

Bind

In named.conf, specify your DNS64 prefix with the dns64-prefix option. For
example:

options {
    dns64-prefix 64:FF9B::/96;
}

The prefix must be a /96 or shorter.

To test that things are working right, perform a query against Bind for a
domain name for which no AAAA record exists. You should see a AAAA record in
the answer section. The corresponding IPv6 address will be inside the DNS64
prefix. For example:

    $ named -c named.conf
    $ dig @localhost jazz-v4.viagenie.ca aaaa
    [...]
    ;; ANSWER SECTION:
    jazz-v4.viagenie.ca.        86400   IN      A       206.123.31.2
    jazz-v4.viagenie.ca.        86400   IN      AAAA    64:ff9b::ce7b:1f02

NAT64 in PF

For the binary distribution (pf_nat64-0.1-amd64.tgz), run './install.sh'. This script will replace your current kernel, pfctl, systat, tcpdump. The old ones will have the ".old" extension added.

For the source distribution (pf_nat64-0.1.tgz), apply 'pf_nat64.patch' to the OpenBSD 4.6 tree and go through the usual OpenBSD compilation and installation process. See the README inside the package for more details.

Add the following rule into /etc/pf.conf: 
nat64 from any to PREFIX -> a.b.c.d
Set PREFIX to 64:ff9b::/96 to use the well-known nat64 prefix. Set a.b.c.d to the nat64 ipv4 address. There is currently a conflict with any other rule that would try to establish state for the same packets. Please ensure that your "pass" and "block" rules do not also apply to packets handled by the nat64 rule. The nat64 rule has the same syntax as the nat rule.

NAT64 in Linux

Requirement: kernel 2.6.31 Compilation: 
make
Installation: 
make install
Configuration: edit 
./nat64-config.sh
to fit your environment.