DNS64 & nslookup
cswiger at mac.com
Wed Apr 11 23:01:16 UTC 2018
On Apr 11, 2018, at 3:49 PM, Mark Boolootian <booloo at ucsc.edu> wrote:
>>> I'll give those tools a try, but I don't understand how my client is requesting
>> an A record. It only has IPv6 networking. DNS64 should be requesting an
>> A record, but that the client should see is the converted AAAA record. Is that
>> not right?
>> Nope-- DNS requests aren't going to convert an A record to a AAAA record.
>> Normally, IPv6 only machines should request IPv6 AAAA records by preference,
> I think he was saying this. If his machine is truly IPv6-only, then the
> resolver would only perform AAAA lookups (I can't speak to what
> nslookup would do). That AAAA lookup gets forwarded to the DNS64
> box, which performs the A lookup (and finds no AAAA), and then returns
> the synthesized AAAA record.
Yes. As Mark A noted, most apps use getaddrinfo()-- with PF_UNSPEC, the system
should ask for A or AAAA records depending on whether IPv4 or IPv6 is preferred.
More sophisticated applications like web browsers tend to have an explicit
search ordering using several getaddrinfo() calls to try both PF_INET and PF_INET6,
and pay attention to which address family is getting results or results faster.
>> and fall back to IPv4 A records only when IPv6 isn't available.
> As far as I know, a host with on an IPv6 address is only ever
> going to perform AAAA lookups. I'd be very interested to know
> if there are cases where that isn't true.
Well, if you run nslookup or dig -t a, you're asking for A records explicitly.
>> However, your IPv6-only machine will route IPv4 traffic using
>> 6-in-4 or NAT64 addressing, otherwise you'd get broken
>> connectivity to IPv4-only addresses.
> Not that I'm saying anything you don't know, but that's the
> purpose of DNS64 - to make sure you can reach IPv4 only
> resources. But if your IPv6-only host is trying to reach an
> IPv4 literal (e.g. embedded in a web page), then unless you
> have a 464 CLAT available, you're out of luck.
OK, fair enough. If you ask a DNS64 server for an A record, it should still
give you back an A record. If you ask for an AAAA RR, then you will get back an
AAAA record, even if it has to synthesize an A record into a 6-in-4 IPv6 address.
More information about the bind-users