LEdoian
/
blog
1
0
Fork 0
Code Releases Activity

Fix footnotes

Browse Source
pub/forgetting-dns6
LEdoian 11 months ago
parent 608ea678e6
commit d502585320
1 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File

37
content/forgetting-dns6.rst
Unescape Escape View File

@ -42,9 +42,7 @@ There are :s:few many sites that still only support IPv4. To reach them, we
need someone, who can reach both the IPv4- and IPv6-land, to go there on our need someone, who can reach both the IPv4- and IPv6-land, to go there on our
behalf a proxy. This proxy can be ad-hoc (I often use ``ssh -D``), or there behalf a proxy. This proxy can be ad-hoc (I often use ``ssh -D``), or there
are well-known protocols like NAT64 with DNS64 to do that in a standard and are well-known protocols like NAT64 with DNS64 to do that in a standard and
lightweight manner.[^This is very much the same as when you try to reach the lightweight manner. [#nat44]_
IPv4-public-land from IPv4-private-land, that is, from a private range of IP
addresses. This is called either just NAT, or NAT44, meaning IPv4-to-IPv4 NAT.]
In that case, the connection looks like this: In that case, the connection looks like this:
.. figure:: {static}/images/forgetting-dns6/image3.svg .. figure:: {static}/images/forgetting-dns6/image3.svg
@ -58,8 +56,7 @@ What I think you didn't know, you need similar workaround to reach the Wikipedia
Disclaimer: While I am sad that GitHub lives in the past and it is stupid that Disclaimer: While I am sad that GitHub lives in the past and it is stupid that
they do not have IPv6, I do not want to shame Wikipedia in particular. they do not have IPv6, I do not want to shame Wikipedia in particular.
It is just an example I found out recently. I am aware of several other It is just an example I found out recently. I am aware of several other
sites suffering from the same problem, including at least one IPv6 test.[^There sites suffering from the same problem, including at least one IPv6 test. [#test-aaaa]_ (It would
are several more tests that do not even have the AAAA record, lol.] (It would
be nice if they added the missing piece in the puzzle, though.) be nice if they added the missing piece in the puzzle, though.)
Enter DNS Enter DNS
@ -75,9 +72,7 @@ There are three interesting types of records: A records give IPv4 addresses,
AAAA give IPv6 addresses, and NS give names of servers who know about the AAAA give IPv6 addresses, and NS give names of servers who know about the
particular subtree of the database. And to actually resolve the final AAAA particular subtree of the database. And to actually resolve the final AAAA
record, the (recursive) resolver starts at the *root zone* and tries to find record, the (recursive) resolver starts at the *root zone* and tries to find
the answer.[^In my example, there is a recursive DNS resolver external to my the answer. [#dns-simplification]_ The resolution algorithm can be visualised like this:
machine, in order not to complicate it too much. Yes, the real deployment is
often trickier.] The resolution algorithm can be visualised like this:
.. figure:: {static}/images/forgetting-dns6/image4.svg .. figure:: {static}/images/forgetting-dns6/image4.svg
:width: 100% :width: 100%
@ -103,11 +98,7 @@ similar to the SSH, NAT64 and NAT44 ones mentioned earlier. This may not be
much of a problem for many people. But if you have any reason to use your own much of a problem for many people. But if you have any reason to use your own
recursive DNS server (privacy reasons, DNSSEC validation, ISP provides bad recursive DNS server (privacy reasons, DNSSEC validation, ISP provides bad
service, you are the ISP, …) *inside* an IPv6-only network, you *will* have service, you are the ISP, …) *inside* an IPv6-only network, you *will* have
issues.[^I have not yet tried to run a recursive DNS in a network with DNS64 issues. [#dns-behind-nat64]_
and NAT64. Could be fun :-D My wild guess is that I would need CLAT (i.e. the
full 464XLAT deployment) to make that work, since the resolver is connecting
directly to IPv4 addresses and would need to learn to use NAT64 to resolve
them. (The CLAT could be built right into the resolver, though).]
Example: Wikipedia Example: Wikipedia
================== ==================
@ -310,3 +301,23 @@ subdomain, which, incidentally, was the *only* one that was IPv6-capable.
So, while all the correct records were present in DNS (somewhat/somewhere), this still So, while all the correct records were present in DNS (somewhat/somewhere), this still
meant that IPv6-only resolution was doomed to fail, because the IPv6 nameserver meant that IPv6-only resolution was doomed to fail, because the IPv6 nameserver
chain was broken. chain was broken.
-----
.. [#nat44] This is very much the same as when you try to reach the
IPv4-public-land from IPv4-private-land, that is, from a private range of IP
addresses. This is called either just NAT, or NAT44, meaning IPv4-to-IPv4 NAT.
.. [#test-aaaa] There are several more tests that do not even have the AAAA
record, lol.
.. [#dns-simplification] In my example, there is a recursive DNS resolver external to my machine,
in order not to complicate it too much. Yes, the real deployment is often
trickier.
.. [#dns-behind-nat64] I have not yet tried to run a recursive DNS in a network
with DNS64 and NAT64. Could be fun :-D My wild guess is that I would need
CLAT (i.e. the full 464XLAT deployment) to make that work, since the
resolver is connecting directly to IPv4 addresses and would need to learn to
use NAT64 to resolve them. (The CLAT could be built right into the resolver,
though).

Write Preview
Loading…
Cancel
Save