1. Общая схема процесса:
2. Настройка DNS64(пример для debian):
root@sneaky-work:/home/kim# cat /etc/bind/named.conf.options
acl "ipv6net1" { 2A02:x:x:x::/40; ::1;};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
dns64 2A02:x:x:x::/64 {
recursive-only yes;
clients { any; };
mapped { any; };
exclude { 2A02:x:x:x:1::/64; 64:ff9b::/96; };
};
forwarders {
2A02:x:x:x::116;
2001:4860:4860::8844;
2001:4860:4860::8888;
};
// allow-query { "ipv6net1"; };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
2. Настройка DNS64(пример для debian):
root@sneaky-work:/home/kim# cat /etc/bind/named.conf.options
acl "ipv6net1" { 2A02:x:x:x::/40; ::1;};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
dns64 2A02:x:x:x::/64 {
recursive-only yes;
clients { any; };
mapped { any; };
exclude { 2A02:x:x:x:1::/64; 64:ff9b::/96; };
};
forwarders {
2A02:x:x:x::116;
2001:4860:4860::8844;
2001:4860:4860::8888;
};
// allow-query { "ipv6net1"; };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Где:
2A02:x:x:x::/40 - весь ipv6 префикс, который будет пользоваться натом.
2A02:x:x:x::/64 - префикс для ната, dns будет преобразовывать AAA ответ в AAAA, и пользоваться этим префиксом.
2A02:x:x:x:1::/64
3.Сам NAT64:
ipv6 unicast-routing
ipv6 dhcp pool ipv6dhcp
address prefix 2A02:x:x:x:1::/64
dns-server 2A02:x:x:x:1::2
interface TenGigabitEthernet0/1/0
ip address x.x.x.3 255.255.255.248
ipv6 address 2A02:y:y:y::y:34/125
ipv6 enable
nat64 enable
interface BDI1110
no ip address
ipv6 address 2A02:x:x:x:1::1/64
ipv6 enable
ipv6 nd na glean
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High
ipv6 dhcp server ipv6dhcp
nat64 enable
ip route 0.0.0.0 0.0.0.0 x.x.x.1
!
ipv6 route ::/0 2A02:y:y:y::y:33 unicast
!
!
!
ipv6 access-list ACLv6
sequence 20 permit ipv6 2A02:x:x:x:1::/64 any
!
nat64 prefix stateful 2A02:x:x:x::/64
nat64 v4 pool pool1 111.111.111.111 111.111.111.113
nat64 v6v4 list ACLv6 pool pool1 overload