ADC

DNS64

The Citrix ADC DNS64 feature responds with a synthesized DNS AAAA record to an IPv6 client sending an AAAA request for an IPv4-only domain. The DNS64 feature is used with the NAT64 feature to enable seamless communication between IPv6-only clients and IPv4-only servers. DNS64 enables discovery of the IPv4domain by the IPV6 only clients, and NAT64 enables communication between the clients and servers.

For synthesizing an AAAA record, the Citrix ADC appliance fetches a DNS A record from a DNS server. The DNS64 prefix is a 96-bit IPv6 prefix configured on the Citrix ADC appliance. The Citrix ADC appliance synthesizes the AAAA record by concatenation of the DNS64 Prefix (96 bits) and the IPv4 address (32 bits).

For enabling communication between IPv6 clients and IPv4 servers, a Citrix ADC appliance with DNS64 and NAT64 configuration can deployed either on the IPv6 client side or on the IPv4 server side. In both cases, the DNS64 configuration on the Citrix ADC appliance is similar and includes a load balancing virtual server acting as a proxy server for DNS servers. If the Citrix ADC appliance is deployed on the client side, the load balancing virtual server must be specified, on the IPv6 client, as the nameserver for a domain.

Consider an example where a Citrix ADC appliance with DNS64 and NAT64 configuration is configured on the IPv4 side. In this example, an enterprise hosts site www.example.com on server S1, which has an IPv4 address. To enable communication between IPv6 clients and IPv4 server S1, Citrix ADC appliance NS1 is deployed with a DNS64 and stateful NAT64 configuration.

The DNS64 configuration includes DNS load balancing virtual server LBVS-DNS64-1, on which the DNS64 option is enabled. A DNS64 policy named DNS64-Policy-1, and an associated DNS64 action named DNS64-Action-1, are also configured on NS1, andDNS64-Policy-1 is bound to LBVS-DNS64-1. LBVS-DNS64-1 acts as a DNS proxy server for DNS servers DNS-1 and DNS-2.

When traffic arriving at LBVS-DNS64-1 matches the conditions specified in DNS64-Policy-1, the traffic is processed according to the settings in DNS64-Action-1. DNS64-Action-1 specifies the DNS64 prefix used, with the A record received from a DNS server, to synthesize an AAAA record.

The global DNS parameter cacherecords is enabled on the Citrix ADC appliance, so the appliance caches DNS records. This setting is necessary for the DNS64 to work properly.

The following table lists the settings used in the above example: DNS64 example settings.

Following is the traffic flow in this example:

  1. IPv6 client CL1 sends a DNS AAAA request for the IPv6 address of the site www.example.com.
  2. The request is received by the DNS load balancing virtual server LBVS-DNS64-1 on Citrix ADC appliance NS1.
  3. NS1 checks its DNS cache records for the requested AAAA record and finds that AAAA record for the site www.example.com does not exist in the DNS cache.
  4. LBVS-DNS64-1’s load balancing algorithm selects DNS server DNS-1 and forwards the AAAA request to it.
  5. Because the site www.example.com is hosted on an IPv4 server, the DNS server DNS-1 does not have any AAAA record for the site www.example.com.
  6. DNS-1 sends either an empty DNS AAAA response or an error message to LBVS-DNS64-1.
  7. Because DNS64 option is enabled on LBVS-DNS64-1 and the AAAA request from CL1 matches the condition specified in DNS64-Policy-1, NS1 sends a DNS A request to DNS-1 for the IPv4 address of www.example.com.
  8. DNS-1 responds by sending the DNS A record for www.example.com to LBVS-DNS64-1. The A record includes the IPv4 address for www.example.com.
  9. NS1 synthesizes an AAAA record for the site www.example.com with:
    • IPv6 address for site www.example.com = Concatenation of DNS64 Prefix (96 bits) specified in the associated DNS64action, and IPv4 address of DNS A record (32 bits) = 2001:DB8:300::192.0.2.60
  10. NS1 sends the synthesized AAAA record to IPv6 client CL1. NS1 also caches the A record into its memory. NS1 uses the cached A record to synthesize AAAA records for subsequent AAAA requests.

Points to Consider for a DNS64 Configuration

Before configuring DNS64 on a Citrix ADC appliance, consider the following points:

  • The DNS64 feature of the Citrix ADC appliance is compliant with RFC 6174.

  • The DNS64 feature of the Citrix ADC appliance does not support DNSSEC. The Citrix ADC appliance does not synthesize an AAAA record from a DNSSEC response received from a DNS server. A response is classified as a DNSSEC response, only if it contains RRSIG records.

  • The Citrix ADC appliance supports DNS64 prefix of length of only 96 bits.

  • Though the DNS64 feature is used with the NAT64 feature, the DNS64 and NAT64 configurations are independent on the Citrix ADC appliance. For a particular flow, you must specify the same IPv6 prefix value for the DNS64 prefix and the NAT64 prefix parameters, so that the synthesized IPv6 addresses received by the client are routed to the particular NAT64 configuration. For more information on configuring NAT64 on a Citrix ADC appliance, see Stateful NAT64.

  • The following are the different cases of DN64 processing by the Citrix ADC appliance:

    • If the AAAA response from the DNS server includes AAAA records, then each record in the response is checked for the set of exclusion rule configured on the Citrix ADC appliance for the particular DNS64 configuration. The Citrix ADC removes the IPv6 addresses, whose prefix matches the exclusion rule, from the response. If the resulting response includes at least one IPv6 record, the Citrix ADC appliance forwards this response to the client, else, the appliance synthesizes a AAAA response from the A record of the domain and sends it to the IPv6 client.

    • If the AAAA response from the DNS server is an empty answer response, the appliance requests for A resource records with the same domain name or searches in its own records if the appliance is an authentic domain name server for the domain. If the request results in an empty answer or error, the same is forwarded to the client.

    • If the response from the DNS server includes RCODE=1 (format error), the Citrix ADC appliance forwards the same to the client. If there is no response before the timeout, the Citrix ADC appliance sends a response with RCODE=2 (server failure) to the client.

    • If the response from the DNS server includes a CNAME, the chain is followed until the terminating A or AAAA record is reached. If the CNAME does not have any AAAA resource records, the Citrix ADC appliance fetches the DNS A record to be used for synthesizing AAAA record. The CNAME chain is added to the answer section along with the synthesized AAAA record and then sent to the client.

  • The DNS64 feature of the Citrix ADC appliance also supports responding to PTR request. When a PTR request for a domain of an IPv6 address is received on the appliance and the IPv6 address matches any of the configured DNS64 prefix, the appliance creates a CNAME record mapping the IP6-ARPA domain into the corresponding IN-ADDR. ARPA domain and the newly formed IN-ADDR.ARPA domain is used for resolution. The appliance searches the local PTR records and if the records are not present, the appliance sends a PTR request for IN-ADDR.ARPA domain to the DNS server. The Citrix ADC appliance uses the response from the DNS server to synthesize response for the initial PTR request.

Configuration Steps

Creating the required entities for stateful NAT64 configuration on the Citrix ADC appliance involves the following procedures:

  • Add DNS services. DNS services are logical representation of DNS servers for which the Citrix ADC appliance acts as a DNS proxy server. For more information on setting optional parameters of a service, see Load Balancing.

  • Add DNS64 action and DNS64 policy and then bind the DNS64 action to the DNS64 policy. A DNS64 policy specifies conditions to be matched against traffic for DNS64 processing according to the settings in the associated DNS64 action. The DNS64 action specifies the mandatory DNS64 prefix and the optional exclude rule and mapped rule settings.

  • Create a DNS load balancing virtual server and bind the DNS services and the DNS64 policy to it. The DNS load balancing virtual server acts as a DNS proxy server for DNS servers represented by the bound DNS services. Traffic arriving at the virtual server is matched against the bound DNS64 policy for DNS64 processing. For more information on setting optional parameters of a load balancing virtual server, see Load Balancing.

    Note: The CLI has separate commands for these two tasks, but the GUI combines them in a single dialog box.

    Enable caching of DNS records. Enable the global parameter for the Citrix ADC appliance to cache DNS records, which are obtained through DNS proxy operations. For more information on enabling caching of DNS records, see Domain Name System.

CLI procedures

To create a service of type DNS by using the CLI:

At the command prompt, type:

  • add service <name> <IP> <serviceType> <port> …

To create a DNS64 action by using the CLI:

At the command prompt, type:

  • add dns action64 <actionName> -Prefix <ipv6_addr|*> [-mappedRule <expression>] [-excludeRule <expression>]

To create a DNS64 policy by using the CLI:

At the command prompt, type:

  • add dns policy64 <name> -rule <expression> -action <string>

To create a DNS load balancing virtual server by using the CLI:

At the command prompt, type:

  • add lb vserver <name> DNS <IPAddress> <port> -dns64 ( ENABLED | DISABLED ) [-bypassAAAA ( YES | NO )] …

To bind the DNS services and the DNS64 policy to the DNS load balancing virtual server by using the CLI:

At the command prompt, type:

  • bind lb vserver <name> <serviceName> …
  • bind lb vserver <name> -policyName <string> -priority <positive_integer> …

GUI procedures

To create a service of type DNS by using the GUI:

  1. Navigate to Traffic Management > Load Balancing > Services, and add a new service.
  2. Set the following parameters:
    • Service Name*
    • Server*
    • Protocol* (Select DNS from the drop down list.)
    • Port*

To create a DNS64 action by using the GUI:

Navigate to Traffic Management > DNS > Actions, on the DNS Actions64 tab, add a new DNS64 action.

To create a DNS64 policy by using the GUI:

Navigate to Traffic Management > DNS > Policies, on the DNS Policies64 tab, add a new DNS64 policy.

To create a DNS load balancing virtual server and bind the DNS services and the DNS64 policy to it by using the GUI:

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and add a new virtual server.
  2. Set the following parameters:
    • Name*
    • IP Address*
    • Protocol* (Select DNS from the drop down list.)
    • Port*
  3. Select the Enable DNS64 option.
  4. In the Services pane, bind the service to the virtual server.
  5. In the Policies pane, bind the policy to the virtual server.

Sample Configuration

 > add service SVC-DNS-1 203.0.113.50 DNS 53
 Done

> add service SVC-DNS-2 203.0.113.60 DNS 53
 Done

> add dns Action64 DNS64-Action-1 -Prefix 2001:DB8:300::/96
 Done

> add dns Policy64 DNS64-Policy-1 -rule "CLIENT.IPv6.SRC.IN_SUBNET(2001:DB8:5001::/64)"
-action DNS64-Action-1
 Done

> add lb vserver LBVS-DNS64-1 DNS 2001:DB8:9999::99 53 -dns64 ENABLED
 Done

> bind lb vserver LBVS-DNS64-1 SVC-DNS-1
 Done

> bind lb vserver LBVS-DNS64-1 SVC-DNS-2
 Done

> bind lb vserver LBVS-DNS64-1 -policyname DNS64-Policy-1 -priority 2
 Done

<!--NeedCopy-->
DNS64