ipv4, ipV6 DNS BIND configuration and deployment

Mark Andrews marka at isc.org
Mon Aug 5 01:12:15 UTC 2013 

In message <51FEB96D.3070800 at pacbell.net>, Eduardo Bonsi writes:
> Hello Everyone,
> 
> I have some questions about ipV6 transition and DNS configuration!
> 
> I am preparing to make my transition to a dual stack ipv4, ipv6 and I 
> have some concerns in regards to the security of the network since ipv6 
> do not have NAT. My ISP gave me a Global 
> 2602:000:000:000:000:000:000:000/64

Truly, your ISP should be giving you a /48 or as a minumum a /56.
A /64 is is single subnet.  Your ISP will be getting addresses based
on giving customers a /56 or /48.

> Range and I can just turn on ipV6 on 
> the router and set the network to automatic on the computer and I am 
> connected through what they call a SLAAC ipV6 automatic conf network, 
> that runs using the machine MAC address in which I am not very happy to 
> adopt. I well know there is a way to mask the MAC address  to random 
> addresses as a security measure but I am still not happy about it. 

And why are you not happy?  Because someone said their was a issue
with it.  Do you understand the reasoning behind the issue and does
it apply to your use of the network because in many cases it doesn't.

Too often I see people complaining that MAC addresses are buried
in IPv6 addresses when in reality it is *not* a security issue for
the use case.

Modern IPv6 stacks use both types of address for different purposes.
Saying one is unhappy is quite often a knee jerk reaction that
doesn't standup to rigorous analysis.  This is not to say you havn't
done that analysis but given modern stacks I find complaints like
this just don't stack up.

> Beside, there are all the BIND DNS configuration that needs to be routed 
> or I am stack with a slow broke SLAAC connection that it works, but not 
> to the level of the a DNS Server that I want to achieve. Therefore, as a 
> network design after analyzing my options, I have decided to use the 
> static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last 
> bit of the ipv4 NAT addresses already in place. This static option does 
> not expose the machine MAC addresses. 
>
> However the addresses are directed 
> connected through ipV6 bypassing the NAT environment. On BIND, the only 
> change I have in the named.conf file is the,
> 
> listen-on-v6 { any; };
> 
> Therefore, here are my questions:
> 
> 1. I am open to ideas or anything you think is best choosing the best 
> internal network design for ipV6.

Get more address space from your ISP.  Use tempory addresses.
 
> 2. Since this static ipV6 deployment lacks the non-rotatable NAT 
> environment, what are the security measures to take on BIND in regards 
> to the recursive issues on ipV6?

Same as with IPv4.  Locally connected networks are allowed to
recurse.
 
> 3. Are there any other security issues that should I considerate?
> 
> 
> Many Thanks!
> 
> Eduardo
> 
> -- 
> Eduardo Bonsi
> System - Network Admin
> beartcom at pacbell.net
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list