Tayga NAT64 and Bind DNS64

Tayga NAT64 and Bind DNS64

NAT64与DNS64是一套解决方案,实现是IPv6网络过渡初期的协议转换与互访,使纯IPv6网络下的用户直接访问现有IPv4 Internet资源,而不修改两端的任何配置。

tayga大致工作原理图:
Tayga NAT64 and Bind DNS64_第1张图片
测试配置:
-----------------------------------------
setup1:基本环境配置:

[root@tayge ~]# systemctl stop firewalld
[root@tayge ~]# setenforce 0
[root@tayge ~]# yum -y install epel-release
[root@tayge ~]# yum makecache

setup2:配置接口地址:

[root@tayge ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens34   #内网接口
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6FORWARDING=yes
IPV6ADDR=2222:1111::1/96
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens34
UUID=3e907cb9-be64-4042-8393-f43312eb84b0
DEVICE=ens34
ONBOOT=yes
[root@tayge ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33    #外网接口
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="1754d42e-867c-4e63-aff6-18051ba017d5"
DEVICE="ens33"
ONBOOT="yes"
IPADDR="192.168.1.120"
PREFIX="24"
GATEWAY="192.168.1.1"
DNS1="114.114.114.114"
IPV6_PRIVACY="no"

NAT64配置(tayga):

setup3:安装tayga服务和修改配置文件:

[root@tayge ~]# yum install tayga -y    
[root@tayge ~]# cat /etc/tayga/default.conf  | grep -v ^# | grep -v ^$   #默认配置我只修改了前缀,其他默认。
tun-device nat64
ipv4-addr 192.168.255.1
prefix 2020:2019:2018::/96
dynamic-pool 192.168.255.0/24
data-dir /var/lib/tayga/default

setup4:给接口nat64配置ipv4和ipv6地址:

[root@tayge ~]# systemctl start tayga@default
[root@tayge ~]# ip addr add 2020:2020::1/96 dev nat64      #地址任意
[root@tayge ~]# ip addr add 192.168.255.1/24 dev nat64 
[root@tayge ~]# ip link set nat64 up

setup5:设置dynamic-pool中的地址代理上网:

[root@tayge ~]# yum install iptables-services -y
[root@tayge ~]# iptables -t nat -A  POSTROUTING -s 192.168.255.0/24 -d 0.0.0.0/0 -j SNAT  --to 192.168.1.120
[root@tayge ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@tayge ~]# echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
[root@tayge ~]# ping -I 192.168.255.1 114.114.114.114
PING 114.114.114.114 (114.114.114.114) from 192.168.255.1 : 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=77 time=34.1 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=67 time=33.3 ms
64 bytes from 114.114.114.114: icmp_seq=3 ttl=70 time=32.1 ms
64 bytes from 114.114.114.114: icmp_seq=4 ttl=72 time=35.7 ms
^C
--- 114.114.114.114 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 32.160/33.850/35.739/1.313 ms

setup6:设置ipv6前缀和动态地址池地址指向nat64网卡:

[root@tayge ~]# route add -net 192.168.255.0/24 dev nat64     #nat64接口ipv4地址非192.168.255.0/24的地址需要配置
[root@tayge ~]# ip route add 2020:2019:2018::/96 dev nat64

用纯ipv6机器测试,测试成功:
Tayga NAT64 and Bind DNS64_第2张图片

DNS64配置(bind):

[root@tayge ~]# yum install bind -y
[root@tayge ~]# vim /etc/named.conf
options {
        listen-on port 53 { 192.168.1.120; };
        listen-on-v6 port 53 { 2222:1111::1;::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

          forwarders  { 202.96.134.133;114.114.114.114; };
        dns64 2020:2019:2018::/96 {
          clients { 2222:1111::/96;};
         // mapped { !10/8;172.16/12; any; };
          break-dnssec yes;
         //exclude { 2020:2019:2018::/96; };
          suffix :: ;
        };

        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
[root@tayge ~]# systemctl start named

测试NAT64解析正常:
Tayga NAT64 and Bind DNS64_第3张图片
Tayga NAT64 and Bind DNS64_第4张图片
----------------------------------------
搭建完毕后,测试可以正常访问大多数网站和观看视频,只有部分网站有ipv6地址的可能异常,这跟DNS64解析回来的给的IPV6地址有关系。
----------------------------------------

解决部分网站访问异常:

异常网站域名解析如下,主要由于ipv6主机无法访问这些ipv6地址。
Tayga NAT64 and Bind DNS64_第5张图片
通过新加一台DNS服务器过滤掉域名解析中的对应的IPV6地址(搭建过程略):

[root@RT ~]# vim /etc/named.conf
options {
        listen-on port 53 { 192.168.1.109; };   #服务器ipv4地址
        //listen-on-v6 port 53 { 2001:db8:20::1; ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        forwarders  { 202.96.134.133;114.114.114.114; };
        allow-query     { any; };

        filter-aaaa-on-v4 yes;   #过滤ipv4客户端解析中的ipv6地址
        //filter-aaaa-on-v6 yes;
        //filter-aaaa-on-v4 break-dnssec;
        //filter-aaaa-on-v6 break-dnssec;

测试发现只有ipv4地址返回:

[root@tayge ~]# nslookup
> server 192.168.1.109
Default server: 192.168.1.109
Address: 192.168.1.109#53
> www.qq.com
Server:		192.168.1.109
Address:	192.168.1.109#53

Non-authoritative answer:
www.qq.com	canonical name = public-v6.sparta.mig.tencent-cloud.net.
Name:	public-v6.sparta.mig.tencent-cloud.net
Address: 14.18.175.154
Name:	public-v6.sparta.mig.tencent-cloud.net
Address: 113.96.232.215
> www.taobao.com
Server:		192.168.1.109
Address:	192.168.1.109#53

Non-authoritative answer:
www.taobao.com	canonical name = www.taobao.com.danuoyi.tbcache.com.
Name:	www.taobao.com.danuoyi.tbcache.com
Address: 113.96.109.100
Name:	www.taobao.com.danuoyi.tbcache.com
Address: 113.96.109.101

将tayge中的DNS转发器指向192.168.1.109:

          forwarders  { 192.168.1.109; };

ipv6客户端测试解析正常:
Tayga NAT64 and Bind DNS64_第6张图片
-------------------------------------------------
这种方法可能不是最好的,我没有发现named.conf中的哪个参数可以直接过滤ipv6解析后,再将ipv4地址前加ipv6前缀。

你可能感兴趣的:(IPV6)