1ff825849SDag-Erling SmørgravThe DNS64 code was written by Viagenie, 2009, by Simon Perrault as part 2ff825849SDag-Erling Smørgravof the Ecdysis project. The code is copyright by them, and has the BSD 3ff825849SDag-Erling Smørgravlicense (see the dns64/dns64.c file). 4ff825849SDag-Erling Smørgrav 5ff825849SDag-Erling SmørgravTo enable DNS64 functionality in Unbound, two directives in unbound.conf must 6ff825849SDag-Erling Smørgravbe edited: 7ff825849SDag-Erling Smørgrav 8ff825849SDag-Erling Smørgrav1. The "module-config" directive must start with "dns64". For example: 9ff825849SDag-Erling Smørgrav 10ff825849SDag-Erling Smørgrav module-config: "dns64 validator iterator" 11ff825849SDag-Erling Smørgrav 12ff825849SDag-Erling SmørgravIf you're not using DNSSEC then you may remove "validator". 13ff825849SDag-Erling Smørgrav 14ff825849SDag-Erling Smørgrav2. The "dns64-prefix" directive indicates your DNS64 prefix. For example: 15ff825849SDag-Erling Smørgrav 16ff825849SDag-Erling Smørgrav dns64-prefix: 64:FF9B::/96 17ff825849SDag-Erling Smørgrav 18ff825849SDag-Erling SmørgravThe prefix must be a /96 or shorter. 19ff825849SDag-Erling Smørgrav 20ff825849SDag-Erling SmørgravTo test that things are working right, perform a query against Unbound for a 21ff825849SDag-Erling Smørgravdomain name for which no AAAA record exists. You should see a AAAA record in 22ff825849SDag-Erling Smørgravthe answer section. The corresponding IPv6 address will be inside the DNS64 23ff825849SDag-Erling Smørgravprefix. For example: 24ff825849SDag-Erling Smørgrav 25ff825849SDag-Erling Smørgrav $ unbound -c unbound.conf 26ff825849SDag-Erling Smørgrav $ dig @localhost jazz-v4.viagenie.ca aaaa 27ff825849SDag-Erling Smørgrav [...] 28ff825849SDag-Erling Smørgrav ;; ANSWER SECTION: 29ff825849SDag-Erling Smørgrav jazz-v4.viagenie.ca. 86400 IN AAAA 64:ff9b::ce7b:1f02 30ff825849SDag-Erling Smørgrav 31*8f76bb7dSCy Schubert 32*8f76bb7dSCy SchubertNAT64 support was added by David Lamparter in 2022; license(s) of the 33*8f76bb7dSCy Schubertsurrounding code apply. Note that NAT64 is closely related but functionally 34*8f76bb7dSCy Schubertorthogonal to DNS64; it allows Unbound to send outgoing queries to IPv4-only 35*8f76bb7dSCy Schubertservers over IPv6 through the configured NAT64 prefix. This allows running 36*8f76bb7dSCy Schubertan Unbound instance on an IPv6-only host without breaking every single domain 37*8f76bb7dSCy Schubertthat only has IPv4 servers. Whether that Unbound instance also does DNS64 is 38*8f76bb7dSCy Schubertan independent choice. 39*8f76bb7dSCy Schubert 40*8f76bb7dSCy SchubertTo enable NAT64 in Unbound, add to unbound.conf's "server" section: 41*8f76bb7dSCy Schubert 42*8f76bb7dSCy Schubert do-nat64: yes 43*8f76bb7dSCy Schubert 44*8f76bb7dSCy SchubertThe NAT64 prefix defaults to the DNS64 prefix, which in turn defaults to the 45*8f76bb7dSCy Schubertstandard 64:FF9B::/96 prefix. You can reconfigure it with: 46*8f76bb7dSCy Schubert 47*8f76bb7dSCy Schubert nat64-prefix: 64:FF9B::/96 48*8f76bb7dSCy Schubert 49*8f76bb7dSCy SchubertTo test NAT64 operation, pick a domain that only has IPv4 reachability for its 50*8f76bb7dSCy Schubertnameservers and try resolving any names in that domain. 51