What Is DNS64? How DNS64 Works

Increasing numbers of devices connect to the Internet daily: not just computers but also smartphones, cars, home appliances, and countless Internet of Things (IoT) gadgets. This explosive growth has led to a corresponding demand for Internet Protocol (IP) addresses. The original IPv4 protocol, once deemed sufficient, has now been exhausted, necessitating a transition to IPv6. However, the two IP address formats aren’t compatible by default. Multiple connectivity methods have been proposed, and one such approach is DNS64. This article discusses DNS64 in detail, including what it is, how it works, its functions, and how it's applied.

What is DNS64?

DNS64 is a mechanism that synthesizes AAAA records from A records to facilitate communication between IPv6-only clients and IPv4-only servers. It's part of the toolbox for IPv4-IPv6 transition and coexistence.

Due to shortages of IPv4 addresses, it's likely that in the future, many IPv6-only clients will want to connect to IPv4-only servers to access the vast array of services operating on IPv4.

However, there is not enough time to upgrade existing Internet hosts to dual stack before the IPv4 address pool is depleted. By default, IPv4 and IPv6 networks can’t communicate directly. They’re fundamentally separate stacks.

DNS64 is an important part of IPv4-IPv6 connections.

Domain name system 64, then, provides a way forward in the IPv4-to-IPv6 transition by allowing communication among unmodified IPv6 and IPv4 nodes. It uses a protocol translation approach versus an encapsulation approach to connect IPv6 users to IPv4 services.

This translation technology “synthesizes” an equal number of AAAA records from those A records, embedding the 32-bit IPv4 addresses into a predefined 128-bit IPv6 prefix. The synthesized IPv6 addresses are then translated back to IPv4 addresses by a NAT64 gateway during actual network communication.

The main advantage of this mode is that current IPv6 nodes can use this mechanism without requiring any configurations on either of the devices. IPv6 clients are usually configured to use one or more special name servers that support the DNS64 function.

DNS64 typically goes alongside NAT64. DNS64 handles the address resolution, while NAT64 handles the packet translation. Together, they facilitate networks transitioning to IPv6 at layer 3 of the OSI model.

Components of DNS64

As the names imply, DNS64 manages translation for DNS records. The main components involved are the DNS64 server and a NAT64 gateway.

DNS64 server

A domain name system 64 server is a specialized DNS server that synthesizes IPv6 AAAA records from IPv4 A records when necessary. When an IPv6-only client requests the IPv6 address (AAAA record) for a domain, the server checks its DNS records.

NAT64 gateway

A NAT64 gateway is a network address translation device that translates network traffic between IPv6 and IPv4 protocols. It operates based on the synthetic IPv6 addresses created by the DNS server to enable communication.

How DNS64 works

The DNS64 mechanism happens in a few simple steps involving queries, servers, and NAT64 translation. The process occurs as follows:

DNS query from IPv6 client. An IPv6-only client sends a DNS query requesting an IPv6 address (AAAA record) for a domain name.
Server processing. The DNS server, configured with DNS64, receives the query. If the server finds that the domain does not have an AAAA record but does have an A record, it synthesizes an AAAA record. The server creates a synthetic IPv6 address by prepending a special prefix (usually 64:ff9b::/96 defined in RFC 6052) used by the NAT64 gateway.
The client receives a response. The synthesized AAAA record returns to the client.
The client attempts a connection. The client then uses the synthesized IPv6 address to initiate a connection to the server.
NAT64 translation occurs. The NAT64 gateway intercepts the traffic destined for the synthesized IPv6 address. It translates the IPv6 packets into IPv4 packets to allow IPv6 services in your subnet to access IPv4 services outside that subnet.

Normally, DNS64 only applies to domain names that don’t have AAAA records. The mechanism makes IPv6-only clients believe they communicate over IPv6 even when the destination server is IPv4-only. No changes to the client's configuration are required in this case.

Benefits of DNS64

DNS64 significantly benefits modern network management as organizations work towards an IPv6-dominated Internet. Let’s look at these advantages of the mechanism.

Improved IPv6-IPv4 connection

DNS64 simplifies the process for IPv6-only clients to connect to IPv4 servers. Typically, a dual-stack setup—where a device supports both IPv4 and IPv6—would be needed to ensure compatibility with both protocols. However, maintaining dual-stack networks can be complex, especially as IPv6 gains traction. Domain name system 64 eliminates this need.

Lower costs

Switching to IPv6 has been a priority for many organizations, yet the need to maintain some IPv4 compatibility can be costly. Running dual-stack networks requires both IPv4 and IPv6 infrastructure on every device, which can double hardware costs.

With DNS64, IPv6-only networks no longer need to run IPv4 on every device. Instead, they can capitalize on DNS64 and NAT64 capabilities to handle any interactions with IPv4-only resources.

Support for IPv6-only environments

The mechanism enables a true IPv6-only environment to function without losing access to the Internet’s vast IPv4 resources. As IPv4 addresses become increasingly scarce, IPv6-only networks are becoming more common.

While IPv6 was developed to replace IPv4, the reality is that many servers still use IPv4. Some organizations risk losing connectivity with IPv4-only resources. Network administrators can rely on DNS64 to set up pure IPv6 networks and bridge any gaps that require IPv4 resources.

Scalability for network growth

Domain name system 64 also enhances network scalability, an important factor for expanding networks like large enterprises, data centers, or Internet service providers.

Many organizations in the IPv4-only world often face challenges when scaling their networks due to limited IPv4 addresses. Address shortages lead to complicated address management.

IPv6-only networks can grow smoothly without heavy IPv4 use. DNS64 helps them scale their networks freely using IPv6 and still access IPv4 resources without relying on extensive IPv4 infrastructure.

Challenges and limitations of DNS64

DNS64 is valuable but has specific limitations that network administrators must consider carefully.

IPv4 resource scarcity. This mechanism is vulnerable to a limited supply of IPv4 addresses. Since IPv4 addresses are nearly exhausted, DNS64 may struggle as networks increasingly transition to IPv6-only environments. This scarcity of IPv4 addresses can limit the effectiveness of domain name system 64 as organizations grow or as more devices require access to IPv4 resources.
Compatibility problems. Some applications are not fully compatible with DNS64. This issue is common with applications that use hardcoded IPv4 addresses. For example, if an app expects a specific IPv4 address and cannot accept an IPv6 address, it may fail to connect through DNS64. The incompatibility means certain critical older legacy systems may not function reliably in domain name system environments.
Security risks. DNS64 introduces specific security threats, particularly around DNS spoofing. Attackers can redirect users to malicious sites through spoofed DNS entries. They exploit DNS64 vulnerabilities to compromise network security.

Implementing DNS64

Setting up DNS64 involves several key steps. Here’s a basic outline:

Setup requirements. You need a DNS64-enabled resolver. Common DNS64-compatible options include BIND, Unbound, and PowerDNS.
Configuration. Start by configuring domain name system 64 on your chosen DNS server. The DNS64 prefix must match the NAT64 prefix, thus ensuring smooth address synthesis.
Testing. Run tests to confirm that DNS64 is working. Use command-line tools like dig or nslookup to check for synthesized addresses.
Troubleshooting. If issues arise, double-check your settings. Look at logs to find errors in address synthesis or NAT64 translation.

Following these steps guides network admins in building a stable DNS64 environment. Regular testing ensures the setup remains effective.

Best practices for using DNS64

DNS64 functions most effectively when network administrators manage it carefully. Here are some detailed best practices to enhance performance, security, and reliability.

Monitoring. Regularly monitoring the mechanism's activity is essential to identify patterns, track usage, and detect issues early. By reviewing detailed logs, admins can spot irregularities before they become significant problems.
Optimize performance. The mechanism requires significant processing power during peak hours. Ensuring your server has sufficient resources, such as CPU and memory, can improve response times. Balancing workloads across multiple servers can further prevent bottlenecks.
Security measures. DNS64 setups face DNS spoofing attacks, where attackers try to redirect traffic to malicious sites. Enabling DNSSEC (Domain Name System Security Extensions) verifies the authenticity of DNS queries.
Stay updated. The software receives updates to patch bugs. Be sure to update the software to maintain a secure environment, as new updates frequently address potential flaws. Also, staying current with software versions ensures that DNS64 can handle the latest standards and protocols.

Real-world applications of DNS64

Domain name system 64 has many use cases, including:

Mobile networks. Mobile carriers use DNS64 for IPv6-only networks because this setup conserves IPv4 addresses and supports growing data demands.
Enterprise networks. Many large organizations use domain name system 64 as they transition to IPv6. DNS64 allows them to move forward without losing access to IPv4-only sites.
IoT (Internet of Things). IoT devices often operate in IPv6-only networks. DNS64 lets these devices access IPv4 resources when needed.
University networks. Some universities have switched to IPv6-only networks, with this mechanism bridging IPv4 gaps. The approach saves IPv4 resources while maintaining access to needed content.

Frequently asked questions

Is DNS64 secure and reliable for use in production environments?

Domain name system 64 is secure for production when managed adequately with security measures like DNSSEC.

Can DNS64 be used in a dual-stack network?

Yes, but it is mainly designed for IPv6-only environments. In a dual-stack network, clients have both IPv4 and IPv6 addresses to reduce the need for DNS64 since they can access IPv4 resources directly without synthesized addresses.

How can I test if DNS64 is functioning correctly?

Testing DNS64 involves querying an IPv6-only client to access an IPv4-only resource. To confirm functionality, tools like dig or nslookup check if a synthesized IPv6 address correctly returns when querying for domains without AAAA records.

Will DNS64 still be relevant in a fully IPv6-based Internet?

The relevance may decline as more websites adopt IPv6. However, until IPv4 resources are phased out entirely, DNS64 will remain valuable for networks needing to bridge IPv6 and IPv4 resources.

Written and Edited by Lizzy Schinkel & WhatIsMyIP.com® Editorial Contributors

Lizzy is a tech writer for WhatIsMyIP.com®, where she simplifies complex tech topics for readers of all levels. A Grove City College graduate with a bachelor’s degree in English, she’s been crafting clear and engaging content since 2020. When she’s not writing about IP addresses and online privacy, you’ll likely find her with a good book or exploring the latest tech trends.

Technically Reviewed by Brian Gilbert

Brian Gilbert is a tech enthusiast, network engineer, and lifelong problem solver with a knack for making complicated topics simple. As the overseer of WhatIsMyIP.com®, he combines decades of experience with a passion for helping others navigate the digital world.