Skip to content

DNS64

Jump to bottom Edit New page
Frank Denis edited this page May 20, 2025 · 1 revision

DNS64

DNS64 is a mechanism that allows IPv6-only clients to connect to IPv4-only services through a translation layer. It works by synthesizing AAAA (IPv6) records from A (IPv4) records, using specific IPv6 prefixes.

When to Use DNS64

You should only enable DNS64 if you're in an IPv6-only network and need to access IPv4-only services. Common scenarios include:

  • IPv6-only networks with NAT64 translation
  • Mobile networks that have deployed IPv6-only infrastructure with NAT64
  • Testing environments for IPv6 transition scenarios

IMPORTANT: Do not enable DNS64 unless you know exactly what it is and why you need it. Enabling it on a dual-stack network will likely cause connectivity issues.

Configuration

To enable DNS64 in dnscrypt-proxy, add the following section to your dnscrypt-proxy.toml configuration file:

[dns64]
# Option 1: Static prefix(es) as Pref64::/n CIDRs
prefix = ['64:ff9b::/96']

# Option 2: DNS64-enabled resolver(s) for prefix discovery
# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']

Configuration Options

You have two options to configure DNS64:

Option 1: Static Prefixes

You can specify one or more static IPv6 prefixes to use for synthesizing AAAA records:

prefix = ['64:ff9b::/96']

The Well-Known Prefix 64:ff9b::/96 is standardized in RFC 6052 and is commonly used for DNS64/NAT64 deployments. Your network administrator may provide you with different prefixes for custom deployments.

Option 2: Prefix Discovery

Alternatively, you can configure dnscrypt-proxy to discover the prefix from DNS64-enabled resolvers:

resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']

These resolvers are used to query for the Well-Known IPv4-only Name "ipv4only.arpa." to discover the prefix.

Note: If both options are configured, only static prefixes will be used.

How DNS64 Works

When DNS64 is enabled, dnscrypt-proxy will:

  1. Try to resolve a AAAA (IPv6) record for the requested domain normally
  2. If no AAAA record exists, it will then resolve the A (IPv4) record
  3. If an A record is found, it will synthesize an AAAA record by embedding the IPv4 address into the configured IPv6 prefix

For example, if a domain has only an A record with IPv4 address 203.0.113.1 and the prefix is 64:ff9b::/96, DNS64 will synthesize an AAAA record with IPv6 address 64:ff9b::203.0.113.1 (which in full IPv6 notation is 64:ff9b::cb00:7101).

Compatibility with NAT64

DNS64 is designed to work with NAT64, a translation mechanism that allows IPv6-only clients to connect to IPv4-only services. When a client uses the synthesized AAAA record to connect to a service, the NAT64 gateway will:

  1. Extract the embedded IPv4 address from the IPv6 destination address
  2. Create a connection to the IPv4 destination
  3. Translate between IPv6 and IPv4 for the duration of the connection

Your network must have a NAT64 gateway configured to use the same prefix as your DNS64 configuration for this to work properly.

Troubleshooting

If you experience connectivity issues after enabling DNS64:

  1. Verify that you need DNS64: If you have IPv4 connectivity, you likely don't need DNS64.
  2. Check prefix configuration: Ensure the prefix matches what your NAT64 gateway is using.
  3. Disable other DNS64 services: Having multiple DNS64 services can cause conflicts.
  4. Test with specific domains: Try accessing a known IPv4-only website to verify DNS64 is working.

For debugging, you can use tools like dig or nslookup to query for AAAA records and see if they're being properly synthesized.

Are these instructions not clear? Wrong? Insufficient? This documentation page is a Wiki, so you can contribute by improving it!

Add a custom sidebar
Clone this wiki locally