• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Guide to setting up IPv6, DHCP6/NAT64/DNS64 on FortiOS 5.0 (FortiGate)

Started by Chainik, June 25, 2013, 03:48:56 AM

Previous topic - Next topic

Chainik


kasperd

A couple of small comments. I would recommend against blocking ICMPv6 echo requests. Blocking them is not only making debugging harder, it also breaks some tunnelling protocols like for example Teredo. Also it sounds a bit strange to me, if they really made DNS64 synthesize AAAA records by default, even if there is already an AAAA record. So what exactly does that default setting do? Does it replace the existing AAAA records with a synthesized AAAA record? Or will it add the synthesized AAAA record such that the reply contains both real and synthetic AAAA records?

Chainik

Yes, good point on ICMP, I will update the guide.

Regarding AAAA synthesis/NAT64, I just re-checked the behaviour, which is as follows:

--- with
config system nat64
    set status enable
    set always-synthesize-aaaa-record enable  #implicit default setting
end

$ dig aaaa www.google.com

; <<>> DiG 9.7.3 <<>> aaaa www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19157
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      AAAA

;; ANSWER SECTION:
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2991
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2992
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2994
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2990
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2993
...


--- with
config system nat64
    set status enable
    set always-synthesize-aaaa-record disable
end


$ dig aaaa www.google.com

; <<>> DiG 9.7.3 <<>> aaaa www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52908
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      AAAA

;; ANSWER SECTION:
www.google.com.         261     IN      AAAA    2a00:1450:4009:808::1014
...


So it looks like the default setting will simply ignore existing AAAA records and replace them with synthesized ones.

Not a good default in my opinion, but that is how it behaves with the current firmware.

-- ab1

kasperd

Quote from: Chainik on June 26, 2013, 03:27:50 AMSo it looks like the default setting will simply ignore existing AAAA records and replace them with synthesized ones.

Not a good default in my opinion, but that is how it behaves with the current firmware.
It's a very bad default. I don't know what they were thinking when choosing that as the default.