If you want to operate an IPv6 only network, there is a new way to make it happen that is much simplified compared to what we had to do in the past.
And this is using VyOS as your router which has integrated Jool starting in v1.4 making it very easy to setup and use out of the box.
DNS64
Just as important as the NAT64 component is DNS64. This is what translates a DNS lookup that only has an A record to also respond with an AAAA record usually using the NAT64 well-known reserved prefix 64:ff9b::/96.
There are several options for DNS64. If you are currently using a custom DNS server it may already have this feature and you simply need to turn it on. I will list 2 simple methods.
Google DNS
Google offers a public DNS64 version of their DNS service which makes it super easy. You can use it directly or configure your existing DNS server to use Google DNS64 as it’s upstream forwarder. To use it simply enter the following DNS servers.
2001:4860:4860::64642001:4860:4860::64
The downsides to this approach is it will only translate public DNS records. It won’t allow you to access private IPv4 hosts via DNS. And it will always use the well-known prefix, you have no ability to customize it if desired.
Built-in DNS Forwarder
The 2nd most simple approach is to use the DNS forwarder service built into VyOS.
The following example shows how to configure it. Of course modify allow-from and listen-address to match the prefix and address you are using for the network you want to implement NAT64 on.
I used the well-known DNS64 reserved prefix, although you technically can use whatever you want. A /96 prefix size is recommended. For the upstream forwarder I used Quad9 in the example below.
configure
set service dns forwarding allow-from '2001:db8:a002::/64'
set service dns forwarding cache-size '20000'
set service dns forwarding dns64-prefix '64:ff9b::/96'
set service dns forwarding listen-address '2001:db8:a002::1'
set service dns forwarding name-server 2620:fe::9
set service dns forwarding name-server 2620:fe::fe
set service dns forwarding port '53'
commit
save
NAT64
Now we get to enable the actual translation part, which takes the IPv6 addresses returned by the DNS64 server and translates them to make the IPv4 connection and return it back to the client IPv6 endpoint.
configure
set nat64 source rule 1 source prefix '64:ff9b::/96'
commit
save
And that’s it! 🤯
Super easy way to build an IPv6-only network.
What about Direct IP Connections without DNS?
Most modern operatings systems including iOS, macOS and Linux support something called 464XLAT. The way this works is the OS detects the NAT64 prefix being used on the network, and if an IP connection is attempted it translates the address on the network stack allowing all your apps to function transparently, not even aware that they are connecting via an IPv6 transition layer.
On Linux you may need to install clatd
How it works
There is a special FQDN called ipv4only.arpa which when queried, the DNS64 resolver will return two AAAA records.
These addresses indicate the NAT64 prefix to the client.
ipv4only.arpa. 21600 IN AAAA 64:ff9b::c000:aa
ipv4only.arpa. 21600 IN AAAA 64:ff9b::c000:ab
As a result the operating system knows how to translate IPv4 into an IPv6 address and there is no need to deal with the complexity of dual-stack for client endpoints.