Good morning all,
I'm working on a plan for beginning to support IPv6 within our enterprise network. I know for sure that we will at some point have IPv6 only clients, and large base of IPv4 only servers / clients. So I will need to utilize translation for some flows, using DNS64 to point to a NAT64 router. My concern is preventing the dual stack clients from using the NAT64 router for unnecessary traffic. From what I have researched - for most operating systems if there is an IPv6 interface available, when attempting to resolve a hostname the client will send both a AAAA request and an A request. Depending on the application - it may use the fastest connection (RFC Happy eyes), but I'm more worried about our in house software that likely does not have that capability and will prefer the NAT64 prefixed IPv6 IP, forcing traffic to the NAT64 router.
I am not the most well versed in DNS, but one potential option I have seen is to use "filter-aaaa-on-v4" which would filter AAAA resolution for IPv4 sourced requests - but at that point I am locking those dual stack hosts out of IPv6 entirely until they transition off of IPv4. What would be ideal I think is to prevent DNS64 from creating a synthesized NAT64 prefix AAAA record for DNS requests sourced from IPv4 transport, but not block valid AAAA records from being returned. I'm not sure if this possible or exactly how to do it - any assistance would be appreciated!
Also if anyone has run into any gotchas with a mixed environment of IPv6 only / dual stack clients, this will be my first production environment running IPv6 so I am trying to figure out all the entanglements ahead of time - any tips would be appreciated.
No comments:
Post a Comment