ipv4, ipV6 DNS BIND configuration and deployment

Eduardo Bonsi beartcom at pacbell.net
Sun Aug 4 20:28:29 UTC 2013

Hello Everyone,

I have some questions about ipV6 transition and DNS configuration!

I am preparing to make my transition to a dual stack ipv4, ipv6 and I 
have some concerns in regards to the security of the network since ipv6 
do not have NAT. My ISP gave me a Global 
2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on 
the router and set the network to automatic on the computer and I am 
connected through what they call a SLAAC ipV6 automatic conf network, 
that runs using the machine MAC address in which I am not very happy to 
adopt. I well know there is a way to mask the MAC address to random 
addresses as a security measure but I am still not happy about it. 
Beside, there are all the BIND DNS configuration that needs to be routed 
or I am stack with a slow broke SLAAC connection that it works, but not 
to the level of the a DNS Server that I want to achieve. Therefore, as a 
network design after analyzing my options, I have decided to use the 
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last 
bit of the ipv4 NAT addresses already in place. This static option does 
not expose the machine MAC addresses. However the addresses are directed 
connected through ipV6 bypassing the NAT environment. On BIND, the only 
change I have in the named.conf file is the,

listen-on-v6 { any; };

Therefore, here are my questions:

1. I am open to ideas or anything you think is best choosing the best 
internal network design for ipV6.

2. Since this static ipV6 deployment lacks the non-rotatable NAT 
environment, what are the security measures to take on BIND in regards 
to the recursive issues on ipV6?

3. Are there any other security issues that should I considerate?

Many Thanks!


Eduardo Bonsi
System - Network Admin
beartcom at pacbell.net

More information about the bind-users mailing list