Page tree

Contents

To support the increasing number of IPv6 and dual-stack networks, Infoblox DNS servers now support DNS64, a mechanism that synthesizes AAAA records from A records when no AAAA records exist. When you enable DNS64 on an Infoblox DNS server, it can operate with a third-party NAT64 device so IPv6-only nodes can communicate with IPv4-only nodes without any changes to either of the devices.
As illustrated in Figure 17.3 , when an IPv6-only host requests the AAAA record of an IPv4-only server and none exists, a DNS64-enabled server can retrieve the A record of the IPv4 server and synthesize an AAAA record. The IPv6-only host can then use the synthesized AAAA record, which contains the IPv6 proxy address for the IPv4 address in the original A record, to initiate communication with the IPv4 host.
Figure 17.3



Following are the steps illustrated in Figure 17.3 :

  1. An IPv6-only host sends a recursive query for the AAAA record of the IPv4 server mail1.corpxyz.com.
  2. The Infoblox DNS server attempts to resolve the request for the AAAA record, and determines that an AAAA record for mail1.corpxyz.com does not exist. The DNS server then performs a query for the A record of mail1.corpxyz.com.
  3. The DNS server creates a synthetic AAAA resource record from the information in the A record, and returns the synthesized AAAA record to the requesting IPv6 host.
  4. The host receives the synthetic AAAA record and sends a packet to the destination address specified in the synthetic AAAA record. The packet is routed to the IPv6 interface of the NAT64 device, which translates the packet from IPv6 to IPv4 and forwards it to the server, mail1.corpxyz.com.

Infoblox DNS servers can return synthesized AAAA records to both IPv4 and IPv6 clients when the client explicitly requests an AAAA record and none exists for the requested host. If a host has multiple A records, the DNS server synthesizes an AAAA record for each A record.
Infoblox DNS servers can also synthesize records for reverse-mapping zones. When a DNS server receives a query for a PTR record in the IP6.ARPA domain whose address matches a configured DNS64 prefix, the server synthesizes a CNAME record that contains an IPv4 address derived from the IPv6 address in the query. The server then sends a query for the PTR record so it can resolve the IPv4 address to the hostname.
For example, if a DNS server that is configured to synthesize records for the prefix 2001:db8::/96 receives a query for the PTR record of 2001:db8::0102:0304, it synthesizes a CNAME record that contains the IPv4 address
4.3.2.1.in-addr.arpa. The server then resolves the PTR record of the IPv4 address 4.3.2.1.in-addr.arpa.
If the server obtains the PTR record, then it sends the synthesized CNAME record and the PTR record to the client. If the zone exists, but there is no PTR record, then the server sends the synthesized CNAME record only. If the zone does not exist, then the server responds with a SERVFAIL with no answers.
Additionally, Infoblox DNS servers can generate synthesized records for DNSSEC secure zones, but only for
non-DNSSEC clients. A DNS client or resolver includes the EDNS OPT pseudo-RR with the DO (DNSSEC OK) bit set to indicate that they are requesting DNSSEC data. DNS servers can generate synthesized AAAA records only when the request does not have the DO bit set. This ensures that DNSSEC clients receive only valid responses.
For additional information about DNS64, refer to the following Internet drafts:


Configuring DNS64
You can enable DNS64 on both authoritative and recursive DNS servers. You can configure DNS64 at the Grid, member or DNS view level.
To configure DNS64 on Infoblox DNS servers:

  1. Create at least one DNS64 synthesis group. A synthesis group specifies the IPv6 prefix of the synthesized AAAA records. For more information, see Adding a DNS64 Synthesis Group .
  2. Optionally, specify additional parameters for the synthesis group. For more information, see Setting DNS64 Group Properties .
  3. Enable the DNS64 service and assign a synthesis group to the Grid, a member or a DNS view. For more information, see Enabling DNS64 Service .

On the NAT64 device, you must specify the IPv6 prefixes that are configured on the DNS server.

About Synthesis Groups

A synthesis group specifies, among other things, the IPv6 prefix for the synthesized AAAA records. Infoblox DNS servers provide a default DNS64 synthesis group with the well-known prefix 64:ff9b::/96, which is reserved for representing IPv4 addresses in the IPv6 address space. You can keep the default group, change the prefix or delete the group. You can also add a synthesis group for a Network-Specific Prefix (NSP), which is an IPv6 prefix assigned to an organization to create IPv6 representations of IPv4 addresses.
After you create a synthesis group, you can define rules to restrict the synthesis of AAAA records to certain IPv4 addresses and networks, and specify the DNS clients and networks to which the server can send synthesized AAAA records. For more information, see Setting DNS64 Group Properties .
Note that though you can control the synthesis of AAAA records, the DNS server always synthesizes CNAME records when it receives a query for an IPv6 PTR record whose address matches a prefix in a DNS64 synthesis group. You can also configure the DNS server to generate synthesized AAAA records for DNS queries that have the DO bit set.

Adding a DNS64 Synthesis Group

To add a synthesis group:

  1. From the Data Management tab, select the DNS tab -> DNS64 Groups tab, and then click the Add icon.
  2. In the DNS64 Synthesis Group wizard, complete the following:
    • Name: Enter a name for the group.
    • Prefix: The IPv6 prefix used for the synthesized AAAA records. The default is the well-known prefix 64:FF9B::/96. The prefix length must be /32, /40, /48, /56, /64, and /96, and all bits beyond the specified length must be zero.
    • Comment: Optionally, enter additional information about the group.
    • Disabled: Select this check box if you would like to disable the group at this time. Note that you cannot disable the group if it is the only group that is used by a Grid, member or DNS view that has DNS64 enabled.
    • Apply to queries requesting DNSSEC records: Select this to generate synthesized AAAA records for DNS64 synthesis groups that request DNSSEC data.
  3. Click Next to define extensible attributes for the synthesis group. For information, see Using Extensible Attributes.
  4. Save the configuration

Viewing DNS64 Synthesis Groups

To view synthesis groups, from the Data Management tab, select the DNS tab -> DNS64 Groups tab. This tab displays the following information about each group:

  • Name: The group name.
  • Prefix: The IPv6 prefix that is assigned to the group.
  • Comment: The comment that was entered for the group.
  • Site: The value of this attribute, if specified.

You can display the following additional column:

  • Disabled: Indicates whether the group is disabled.

You can do the following:

  • Modify some of the data in the table. Double click a row of data, and either edit the data in the field or select an item from a drop-down list. Note that some fields are read-only. For more information about this feature, see Modifying Data in Tables .
  • Edit the properties of a synthesis group.
    • Select the synthesis group, and then click the Edit icon.
  • Move a synthesis group to the Recycle Bin.
    • Select the synthesis group, and then click the Delete icon. Note that you cannot delete a synthesis group that is assigned to a Grid, member or DNS view.
  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.
  • Create a quick filter to save frequently used filter criteria. For information, see Using Quick Filters .
  • Export the synthesis groups to a .csv file.
    • Click the Export icon.
  • Print the list of synthesis groups.
    • Click the Print icon.

Setting DNS64 Group Properties

After you create a DNS64 synthesis group, you can specify the following:

    • The IPv4 and IPv6 DNS clients and networks to which the DNS server is allowed to send synthesized AAAA records with the specified IPv6 prefix.
    • The IPv4 addresses and networks for which the DNS server can synthesize AAAA records with the specified prefix.
    • IPv6 addresses or prefix ranges that cannot be used by IPv6 only hosts, such as IP addresses in the ::ffff:0:0/96 network. When the DNS server retrieves an AAAA record that contains an IPv6 address that matches an excluded address, it does not return the AAAA record. Instead, it synthesizes an AAAA record from the A record.
      Note that a DNS server synthesizes the AAAA record of a host that has both A and AAAA records when all the IPv6 addresses in the AAAA records match the excluded addresses. If the host has multiple AAAA records and some of them contain excluded IPv6 addresses, then the server returns the remaining AAAA records.

You can add individual access control entries (ACEs) or use a named access control list (ACL) to define these clients. For information about how to define named ACLs, see Defining Named ACLs .
To configure DNS64 group properties:

  1. From the Data Management tab, select the DNS tab -> DNS64 Groups tab -> group check box -> Edit icon.
  2. In the General tab of the DNS64 Synthesis Groups editor, you can do the following:
    • Modify the name, prefix or comment.
    • Select the Disabled check box, if you want to disable the group at this time.
    • Select the Apply to queries requesting DNSSEC records check box to have the DNS server generate synthesized AAAA records for DNS64 synthesis groups that request DNSSEC data.
    Perform DNS64 synthesis for these clients: Specify IPv4 and IPv6 hosts and networks to which Infoblox DNS servers can send synthesized AAAA records. The default is to allow any IPv4 and IPv6 address and network. Select one of the following:
    • None: Select this if you do not want to define specific addresses or networks to which the appliance sends synthesized AAAA records. When you select this, the appliance sends synthesized AAAA records to all clients. This is selected by default.
    • Named ACL: Select this and click Select Named ACL to select a named ACL. Grid Manager displays the Named ACLs Selector. Select the named ACL you want to use. If you have only one named ACL, Grid Manager automatically displays the named ACL. When you select this option, the appliance sends synthesized AAAA records to the clients that have the Allow permission in the list. You can click Clear to remove the selected named ACL.
    • Set of ACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows.
      • IPv4 Address and IPv6 Address: Select this to add an IPv4 address or IPv6 address. Click the Value field and enter the IP address. The Permission column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.
      • IPv4 Network: In the Add IPv4 Network panel, complete the following, and then click Add to add the network to the list:
        • Address: Enter an IPv4 network address and either type a netmask or move the slider to the desired netmask.
        • Permission: Select Allow or Deny from the drop-down list.
      • IPv6 Network: In the Add IPv6 Network panel, complete the following, and then click Add to add the network to the list:
        • Address: Enter an IPv6 network address and select the netmask from the drop-down list.
        • Permission: Select Allow or Deny from the drop-down list.
      • Any Address/Network: Select this to allow or deny any IP addresses to which the appliance sends synthesized AAAA records.
    Mapped IPv4 Addresses: Specify IPv4 addresses and networks for which the DNS server synthesizes AAAA records. The default is to allow the DNS server to synthesize AAAA records for any IPv4 address in any network. Select one of the following1:
    • None: Select this if you do not want to define specific IPv4 addresses or networks for which the DNS server synthesizes AAAA records. The appliance synthesizes AAAA records for all IPv4 clients. This is selected by default.
    • Named ACL: Select this and click Select Named ACL to select a named ACL. Grid Manager displays the Named ACLs Selector. Select the named ACL you want to use. If you have only one named ACL, Grid Manager automatically displays the named ACL. When you select this option, the appliance synthesizes AAAA records for the clients that have the Allow permission in the list. You can click Clear to remove the selected named ACL.
    • Set of ACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows.
    • IPv4 Address: Select this to add an IPv4 address. Click the Value field and enter the IP address. The Permission column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.
    • IPv4 Network: In the Add IPv4 Network panel, complete the following, and then click Add to add the network to the list:
      • Address: Enter an IPv4 network address and either type a netmask or move the slider to the desired netmask.
      • Permission: Select Allow or Deny from the drop-down list.
    • Any Address/Network: Select this to allow or deny any IPv4 addresses for which the appliance synthesizes AAAA records.
      After you have added access control entries, you can do the following:
      • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.
      • Reorder the list of ACEs using the up and down arrows next to the table.
      • Select an ACE and click the Edit icon to modify the entry.
      • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.
    Exclude IPv6 addresses: Specify IPv6 addresses of AAAA records that the appliance treats as nonexistent. The DNS server does not return the AAAA record of an address from this list. Instead, it synthesizes an AAAA record from the A record.
    • None: Select this if you do not want to define specific IPv6 addresses or networks of AAAA records that the appliance treats as nonexistent. The appliance treats all IPv6 addresses as nonexistent. This is selected by default.
    • Named ACL: Select this and click Select Named ACL to select a named ACL. Grid Manager displays the Named ACLs Selector. Select the named ACL you want to use. If you have only one named ACL, Grid Manager automatically displays the named ACL. When you select this option, the appliance synthesizes AAAA records from A records for the clients that have the Allow permission in the list. You can click Clear to remove the selected named ACL.
    • Set of ACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows.
      • IPv6 Address: Select this to add an IPv6 address. Click the Value field and enter the IP address. The Permission column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.
      • IPv6 Network: In the Add IPv6 Network panel, complete the following, and then click Add to add the network to the list:
        • Address: Enter an IPv6 network address and select the netmask from the drop-down list.
        • Permission: Select Allow or Deny from the drop-down list.
      • Any Address/Network: Select this to allow or deny any IP addresses of AAAA records that the appliance treats as nonexistent.
        After you have added access control entries, you can do the following:
      • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.
      • Reorder the list of ACEs using the up and down arrows next to the table.
      • Select an ACE and click the Edit icon to modify the entry.
      • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.
    • Extensible Attributes: You can modify the attributes. For information, see Using Extensible Attributes.
    • Permissions: This tab displays if you logged in as a superuser. For information, see About Administrative Permissions.
  3. Save the configuration and click Restart if it appears at the top of the screen.

Enabling DNS64 Service

You can enable DNS64 at the Grid, member, and DNS view level. At least one DNS64 synthesis group must be configured before you can enable DNS64.
To enable DNS64 and apply DNS64 synthesis groups:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties. Member: From the Data Management tab, select the DNS tab -> Members tab -> member check box -> Edit icon. DNS View: From the Data Management tab, select the DNS tab -> Zones tab -> dns_view check box -> Edit icon. To override an inherited property, click Override next to it and complete the appropriate fields.
  2. In the Grid and Member DNS Properties editor, click Toggle Advanced Mode, and then click DNS64. In the View DNS Properties editor, just click DNS64.
  3. Do the following in the DNS64 tab:
    • Enable DNS64: Select this check box.
    • Synthesis Groups: Click the Add icon and select a synthesis group.
  4. Save the configuration and click Restart if it appears.
  • No labels

This page has no comments.