[Question] Setup guide public NAT64/DNS64

[TumTumTom]

Hi, is there a step-by-step guide for a public NAT64/DNS64 VPS somewhere?

I tried jool for the first time and NAT64 is awesome. But I can't find much about the implementations for public IPv6 (usually /64 subnets) servers. I followed the installation from https://www.jool.mx/en/install.html & the stateful NAT64 guide for my internal lab.

I found this list with public services: https://nat64.xyz/ but due to privacy & logging issues I would like to host this myself.

How can I do this on, for example, a public VPS with 1 IPv4 address and a /64 IPv6 subnet? I see Jool as a solution to the problem with my IPv6-only servers, but would like to know how I can do this on a VPS.

[ydahhrk]

I see Jool as a solution to the problem with my IPv6-only servers, but would like to know how I can do this on a VPS.

I don't really get it. What's the difference?

If your /64 IPv6 subnet is a bunch of servers, and you just want to make them available from IPv4, you can set up a NAT64 with one BIB entry per server. Each BIB entry would specify which server corresponds to which of your IPv4 address's ports.

[TumTumTom]

I have multiple servers with public /64 (IPv6 only) subnets assigned to each server for internet access.

I would like to use a VPS server as public NAT64 and DNS64. This is a server with 1 public /64 IPv6 subnet and 1 public IPv4 address. The IPv6 only servers must connect to the NAT64/DNS64 VPS server over the internet for DNS just like those public services. I just can't find any examples of how to implement this. IPv6 is becoming more important due to the IPv4 shortages.

[ydahhrk]

Ok, suppose your NAT64 VPS server's /64 is 1234:5678::/64.

Your 1234:5678::/64 is the equivalent to the tutorial's 2001:db8::1/128.

So, in the 1234:5678::/64 server, do

modprobe jool
jool instance add "example" --netfilter --pool6 64:ff9b::/96

Then any traffic that arrives to 1234:5678::/64 with destination address 64:ff9b::/96 will be translated to IPv4.

The following step would be to arrange routing so everyone involved knows to send 64:ff9b::/96 to 1234:5678::/64. But that depends on how you've set up your routing, so I can't help you with that.

Does this answer your question?

[TumTumTom]

Thank you. The routing part is unclear to me. I don't need to route to public NAT64/DNS64 services (Trex for example). These servers work directly in DNS without routing. At this point I got stuck, because I performed the steps you describe (in my internal lab) and was able to route it. But what if I want to use DNS with bind9 and jool without routes to the VPS?

[ydahhrk]

Normally, your clients are connected to a router, which is their default gateway.

The router itself has a route to 64:ff9b::/96 (or whatever pool6 you set up in your NAT64/DNS64).

You don't have to route to Trex because your machine has a default gateway, and that default gateway can figure out the way. (Through routing protocols or whatever.)

Does this answer your question?

[zod076]

But what if I want to use DNS with bind9 and jool without routes to the VPS?

Abit late, but if I'm reading this correctly, I think you want a NAT64/DNS64 setup using GUA addresses instead of the WKP 64:ff9b::/96.

On your PLAT box, assuming your /64 is 2001:db8:aaaa:bbbb::/64 ..

jool instance add "default" --iptables --pool6 2001:db8:aaaa:bbbb:64::/96

In bind9, set dns64 2001:db8:aaaa:bbbb:64::/96 { .. };

Then on the client point your DNS to your PLAT/BIND9 IPv6 address.