• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Private ipv4/public ipv6 DNS configuration

Started by SteveGraham, October 31, 2013, 12:24:26 PM

Previous topic - Next topic

SteveGraham

1. Not everything I have supports ipv6, so I want to run my LAN dual stacked
2. I have DHCP and DNS servers running on my WHS 2011 box
3. I have an ipv6 tunnel terminated on an ASUS RT-N66U
4. I have my primary domain name server hosted on HE Free DNS

What I have done is set up a sub-domain for my LAN on the lines of "mysub.mydom.net" with the intention that all devices on my LAN will be members of that sub-domain.  An NS record then delegates that sub-domain to my WHS DNS server configured as the authorative, none recursive, name server for that zone.  All devices on the LAN are pointed to the Asus router for their DNS, which gets it's view of the LAN sub-domain just like any other DNS device on the internet.

It all works fine but does "leak" my private address space onto the global internet, that is, anyone looking up "host.mysub.mydom.net" will get both a public ipv6 address and a private ipv4 one.  Is this a problem and if so what's a better way to do it?

kasperd

Quote from: SteveGraham on October 31, 2013, 12:24:26 PMIt all works fine but does "leak" my private address space onto the global internet, that is, anyone looking up "host.mysub.mydom.net" will get both a public ipv6 address and a private ipv4 one.  Is this a problem and if so what's a better way to do it?
I suppose what you really wanted was for external lookups to see only the IPv6 address and not the IPv4 address, but local lookups of the same hostname would see both.

One way to achieve this would be to use a split horizon DNS configuration on your authoritative DNS server, if it supports that. If the authoritative DNS server does not support split horizon, you could instead have it server only IPv6 addresses, and have the recursive resolver also be configured as authoritative for the zone.

In the later configuration you would have to configure the zone as authoritative on both DNS servers with different content. That means if you make any changes to the IPv6 addresses, you have to update the zone in two locations. In such a configuration although one of the servers is both recursive and authoritative, it is not supposed to answer requests from the outside world. It should only handle requests from the LAN and drop requests from outside.

Do you want devices on your LAN to be reachable from the rest of the internet, or only from the LAN itself?

SteveGraham

QuoteI suppose what you really wanted was for external lookups to see only the IPv6 address and not the IPv4 address, but local lookups of the same hostname would see both.
Certainly the RFCs I've looked at say that I shouldn't be returning private addresses to an internet client. My background is in general telecoms engineering rather than datacoms so at this stage I don't really know what I want... yet.  All I'm really doing is experimenting in an attempt to learn how it all should/can work and that's the rub, if you know the terminology and that something is possible then it's easy enough to do a search and find things out but if you don't have those two things, you never know if you're not finding an answer because you've not yet asked the right question or if what you are trying to do is just not possible.

I reasoned that there must be at least a few small and home networks with private NS doing ipv4 and now adding public ipv6 and it should be a common enough situation to warrant there being some pre-planned method of limiting who will see which once it goes public.

The really pertinent part of your response is the parting question and I guess I don't want all my devices reachable from the internet, only a very small number of them. What I do want is for as much as possible to be dynamically updated when things come and go.  This being the case, if it's possible, would the way to do it be to use the /48 prefix to set up a public subnet through the HE name servers, managed manually and have a "private" subnet from it run on my DNS, updated dynamically, dual homing the promiscuous boxes with static addresses on the open subnet?  I feel some more research coming on!

kasperd

Quote from: SteveGraham on November 10, 2013, 09:15:14 AMCertainly the RFCs I've looked at say that I shouldn't be returning private addresses to an internet client.
I recall seeing such a statement as well. I do not recall seeing an exact rationale behind it. One need to understand the rationale behind it, to figure out if it is really applicable to your situation.

Quote from: SteveGraham on November 10, 2013, 09:15:14 AMMy background is in general telecoms engineering rather than datacoms so at this stage I don't really know what I want... yet.  All I'm really doing is experimenting in an attempt to learn how it all should/can work and that's the rub, if you know the terminology and that something is possible then it's easy enough to do a search and find things out but if you don't have those two things, you never know if you're not finding an answer because you've not yet asked the right question or if what you are trying to do is just not possible.
Whenever you are learning something new, it is a good idea to stop and ask questions once in a while.

Quote from: SteveGraham on November 10, 2013, 09:15:14 AMI reasoned that there must be at least a few small and home networks with private NS doing ipv4 and now adding public ipv6 and it should be a common enough situation to warrant there being some pre-planned method of limiting who will see which once it goes public.
I haven't come across your exact question before. My own LAN is using a transitioning mechanism I developed myself, which happens to work in a way that avoids the challenge you are facing. Because of that, I haven't actually thought about that exact question until you asked it.

Quote from: SteveGraham on November 10, 2013, 09:15:14 AMThe really pertinent part of your response is the parting question and I guess I don't want all my devices reachable from the internet, only a very small number of them.
In that case it may be relevant to give two different answers to the question. One answer applicable to devices you do not want to be reachable, and one answer applicable to devices you do want to be reachable.

For a device, which should not be reachable from the internet, you can put both the public IPv6 and private IPv4 address in DNS. Trying to access the device from elsewhere may give unexpected results due to the private IPv4 address in DNS. But the domain name wasn't supposed to be accessed from that location in the first place. To ensure the device cannot be accessed from the outside through its public IPv6 address, you should be using a firewall on the border of your network. It is feasible to keep such a firewall completely stateless and thus avoid some of the problems often associated with firewalls on IPv4.

For a device, which should be reachable from the internet, you need to ensure that only the IPv6 address is visible. If there was an A record with a private IPv4 address as well, clients may connect to that address and reach a completely different device from the one intended. Next question is, should the device be reachable from IPv4-only clients. If it need to be reachable from IPv4-only clients on your LAN, then you need split-horizon DNS. If it needs to be reachable from IPv4-only clients outside your LAN through the public internet, then you have a bit of a challenge. I am working on a service for that sort of scenario.

Quote from: SteveGraham on November 10, 2013, 09:15:14 AMWhat I do want is for as much as possible to be dynamically updated when things come and go.
At this point a relevant question is, if you want a DNS name, which points to the device even if it moves between your LAN and other IPv6 enabled networks. As long as it only needs to point to the device as long as it is on your LAN, it is easy to arrange for the device to have the same IPv6 address every time it is on your LAN.

Quote from: SteveGraham on November 10, 2013, 09:15:14 AMThis being the case, if it's possible, would the way to do it be to use the /48 prefix to set up a public subnet through the HE name servers, managed manually and have a "private" subnet from it run on my DNS, updated dynamically, dual homing the promiscuous boxes with static addresses on the open subnet?
There are reasons why you might want to partition your LAN into multiple /64 segments. And in such a situation a routed /48 is the way to go. But none of the things you have mentioned so far suggests that you have a need for multiple segments.

You can have dynamic and static IPv6 addresses on the same /64 prefix. You can even have multiple static and multiple dynamic IPv6 addresses on a single network interface. A use case for that could be that you can have one machine hosting multiple webdomains with IP based vhosts (rather than name based vhosts, commonly seen on IPv4), and for a bit of additional privacy outgoing connections from that machine use dynamic IPv6 addresses (with old addresses remaining on the interface after a new has been added, such that open TCP connections can keep going).

Quote from: SteveGraham on November 10, 2013, 09:15:14 AMI feel some more research coming on!
There is always something new to learn.