Using IPv6/IPv4 tunnels to send queries to a DNS server
Mark Andrews
marka at isc.org
Fri Nov 11 00:48:56 UTC 2011
In message <CA+ofH68z4wuagAbXsjnvFyHYHjLkKsyLJmuTRQYCgBPhMDvdOw at mail.gmail.com>,
Hansen Candrawinata writes:
> Thanks for the responses.
>
> Can a DNS server (the machine, not BIND) be a tunnel endpoint
> for 6to4?
Yes, provided it meets all the criteria for being a 6to4 tunnel end
point. You need a non ambious IPv4 address for the tunnel end
point. If your ISP gives you a NAT'd (shared) address you can't
run 6to4. You can't use a RFC 1918 address for your tunnel end
point. Your firewall needs to expect reply traffic from anywhere
from anywhere. Just because you send your encapsulated packet to
192.88.99.1, don't expect the encapusulted reply traffic to come
from 192.88.99.1. 6to4 traffic is asymetric. Some ISP run firewalls
which block non symetric traffic.
A major part of the problem Google and other big providers have
with deploying IPv6 is badly configured 6to4 gateways (often done
automatically) and code that doesn't fall back to IPv4, or fall
back to IPv4 in a timely manner. Put the two together and you have
problems.
Test your 6to4 configuration.
Personally I would setup a tunnel with a tunnel broker, like HE.NET,
rather than running 6to4. You then know who to talk to when you
have IPv6 problems.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list