NAT-PT DNS ALG allows IPv6 clients to transparently communicate with IPv4 networks using domain names. The DNS ALG intercepts DNS traffic and modifies DNS queries and responses, translating between A (IPv4) and AAAA (IPv6) records to facilitate communication between IPv4 and IPv6 networks.

DNS ALG in NAT-PT

When an IPv6 client wants to communicate with an IPv4 server using a domain name, it sends a DNS query of type AAAA to the IPv6-equivalent address of the IPv4 DNS server. IPv6-equivalent address of DNS server is preconfigured on the client, either manually or via DHCPv6.

The NAT-PT device intercepts the DNS query and, using its DNS ALG, translates the AAAA query into an A query based on the v4v6 translation configuration in the NAT-PT device. It then forwards the A query to the IPv4 DNS server.

The IPv4 DNS server responds with an A record containing the IPv4 address of the requested domain.

The DNS ALG translates this IPv4 address into an IPv6 address by embedding it into a predefined IPv6 prefix, as specified in the NAT-PT device’s v4v6 translation configuration. It then sends an AAAA record with the translated IPv6 address back to the IPv6 client.

The IPv6 client uses this translated IPv6 address to communicate transparently with the IPv4 server.

NAT-PT DNS ALG Process
NAT-PT DNS ALG Process

DNS ALG Explanation Using the Example:

  1. Initial DNS Query from IPv6 Client:

    • The IPv6 client (2001:BEBE:0:1::2) wants to resolve the domain name www.example3.com.

    • It sends a DNS query of type AAAA to the IPv6-equivalent address of the IPv4 DNS server (2001:BEBE:4:4:4:c0c:c02).

  2. Intercepting the DNS Query (NAT-PT with DNS ALG):

    • The NAT-PT device intercepts the query on its e0/0 interface.

    • Using its DNS ALG functionality, it translates the AAAA query into an A query. This translation uses the v4v6 mapping configuration in the NAT-PT device.

    • The translated A query is forwarded to the IPv4 DNS server at 12.12.12.2.

  3. Response from IPv4 DNS Server:

    • The IPv4 DNS server resolves the domain www.example3.com and responds with an A record containing the IPv4 address (8.8.8.8).

    • The response is sent back to the NAT-PT device.

  4. Translation of the DNS Response (NAT-PT with DNS ALG):

    • The NAT-PT device translates the A record’s IPv4 address (8.8.8.8) into an IPv6 address by embedding it into a predefined IPv6 prefix (2001:BEBE:4:4:4::).

    • The translated AAAA record is sent back to the IPv6 client.

  5. IPv6 Client Communicates with the IPv4 Server:

    • Using the translated IPv6 address (2001:BEBE:4:4:4:808:808), the IPv6 client can now communicate transparently with the IPv4 server (8.8.8.8).

    • The NAT-PT device handles the bidirectional IPv6-to-IPv4 translation for subsequent communication.

NAT-PT DNS ALG Demonstration

To better understand how NAT-ALG works, I am using the same topology and configurations from previous lessons without any changes.

An IPv6 client needs to communicate with the IPv4 internet through a gateway equipped with NAT-PT capabilities.

  • IPv4 Server Configuration: Three IPv4 addresses (1.1.1.1, 4.2.2.4, and 8.8.8.8) are configured in the IPv4 server.

  • IPv6 Configuration: An IPv6 prefix (2001:BEBE:4:4:4:4::/92), which is part of the enterprise’s IPv6 addressing plan, is configured.

Two types of translations have been set up on the NAT-PT device:

  1. V6V4 Translation: This defines how IPv6 client addresses are translated into IPv4 addresses when traffic is forwarded to the IPv4 network. Three methods—Static, Dynamic, and PAT were discussed and demonstrated in lessons 31 and 32.

  2. V4V6 Translation: This defines how IPv4 server addresses from the internet are translated into the IPv6 network. Two methods—Static and V4-Mapped were covered in lessons 31 and 33.

All configurations remain on the NAT-PT device. Now, we aim to demonstrate the NAT-ALG capability, which is enabled by default.

To showcase NAT-ALG, an IPv4 DNS server is required. I have configured the DNS server on the IPv4 server with the following commands:

!!!!!!!!!!!!!!!!!!!!1 DNS ALG !!!!!!!!!!!!!!!!!!!!!!
!!! IPv4-Server (also as DNS Server)
ip dns server
ip domain-lookup
!
ip host www.example1.com 1.1.1.1
ip host www.example2.com 4.2.2.4
ip host www.example3.com 8.8.8.8

As shown in the configuration, I added three A records, „www.example1.com“ as „1.1.1.1“, „www.example2.com“ as „4.2.2.4“ and „www.example3.com“ as „8.8.8.8“ to the DNS server.

Additionally, I configured the IPv6 equivalent of the DNS server on the IPv6 client using the following commands:

!!! IPv6-Client 
!!! configure dns client
ip domain lookup source-interface Ethernet0/0
ip name-server 2001:BEBE:4:4:4:4:0c0c:0c02

disable DNS ALG on NAT-PT

As mentioned earlier, NAT ALG is enabled by default on the NAT-PT device. However, for reference, it can be disabled using the following commands:

NAT-PT(config)#no ipv6 nat service DNS

Verify DNS ALG operation

To verify the operation of NAT ALG, we simply need to ping all three servers from the IPv4 client using their domain names instead of their IP addresses.

IPv6-Client#ping www.example1.com
Translating "www.example1.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Translating "www.example1.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Translating "www.example1.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:101:101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms

IPv6-Client#ping www.example2.com
Translating "www.example2.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Translating "www.example2.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Translating "www.example2.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

IPv6-Client#ping www.example3.com
Translating "www.example3.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Translating "www.example3.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Translating "www.example3.com"...domain server (2001:BEBE:4:4:4:4:C0C:C02) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:808:808, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
IPv6-Client#

The results demonstrate the following:

  1. The address of the DNS server to which the query is sent is shown. This is the IPv6 equivalent address (2001:BEBE:4:4:4:4:C0C:C02) of the IPv4 DNS server (12.12.12.2).

  2. The ping results are successful, confirming proper functionality of NAT ALG.

At the same time, I captured the DNS traffic in both the IPv6 and IPv4 networks to monitor DNS packets and activity. This process aligns with what we have already discussed; however, I will include it here as a reference for completeness.

DNS query in IPv6 network in NAT-PT DNS ALG process
DNS query in IPv6 network in NAT-PT DNS ALG process
DNS query in IPv4 network in NAT-PT DNS ALG process
DNS query in IPv4 network in NAT-PT DNS ALG process
DNS Answer in IPv4 network in NAT-PT DNS ALG process
DNS Answer in IPv4 network in NAT-PT DNS ALG process
DNS Answer in IPv6 network in NAT-PT DNS ALG process
DNS Answer in IPv6 network in NAT-PT DNS ALG process
Back to: IPv6 (in progress) > IPv6 Translation Technologies

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment