NAT64与DNS64是一套解决方案,实现是IPv6网络过渡初期的协议转换与互访,使纯IPv6网络下的用户直接访问现有IPv4 Internet资源,而不修改两端的任何配置。
tayga大致工作原理图:
测试配置:
-----------------------------------------
setup1:基本环境配置:
[root@tayge ~]# systemctl stop firewalld
[root@tayge ~]# setenforce 0
[root@tayge ~]# yum -y install epel-release
[root@tayge ~]# yum makecache
setup2:配置接口地址:
[root@tayge ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens34 #内网接口
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6FORWARDING=yes
IPV6ADDR=2222:1111::1/96
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens34
UUID=3e907cb9-be64-4042-8393-f43312eb84b0
DEVICE=ens34
ONBOOT=yes
[root@tayge ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 #外网接口
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="1754d42e-867c-4e63-aff6-18051ba017d5"
DEVICE="ens33"
ONBOOT="yes"
IPADDR="192.168.1.120"
PREFIX="24"
GATEWAY="192.168.1.1"
DNS1="114.114.114.114"
IPV6_PRIVACY="no"
setup3:安装tayga服务和修改配置文件:
[root@tayge ~]# yum install tayga -y
[root@tayge ~]# cat /etc/tayga/default.conf | grep -v ^# | grep -v ^$ #默认配置我只修改了前缀,其他默认。
tun-device nat64
ipv4-addr 192.168.255.1
prefix 2020:2019:2018::/96
dynamic-pool 192.168.255.0/24
data-dir /var/lib/tayga/default
setup4:给接口nat64配置ipv4和ipv6地址:
[root@tayge ~]# systemctl start tayga@default
[root@tayge ~]# ip addr add 2020:2020::1/96 dev nat64 #地址任意
[root@tayge ~]# ip addr add 192.168.255.1/24 dev nat64
[root@tayge ~]# ip link set nat64 up
setup5:设置dynamic-pool中的地址代理上网:
[root@tayge ~]# yum install iptables-services -y
[root@tayge ~]# iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -d 0.0.0.0/0 -j SNAT --to 192.168.1.120
[root@tayge ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@tayge ~]# echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
[root@tayge ~]# ping -I 192.168.255.1 114.114.114.114
PING 114.114.114.114 (114.114.114.114) from 192.168.255.1 : 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=77 time=34.1 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=67 time=33.3 ms
64 bytes from 114.114.114.114: icmp_seq=3 ttl=70 time=32.1 ms
64 bytes from 114.114.114.114: icmp_seq=4 ttl=72 time=35.7 ms
^C
--- 114.114.114.114 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 32.160/33.850/35.739/1.313 ms
setup6:设置ipv6前缀和动态地址池地址指向nat64网卡:
[root@tayge ~]# route add -net 192.168.255.0/24 dev nat64 #nat64接口ipv4地址非192.168.255.0/24的地址需要配置
[root@tayge ~]# ip route add 2020:2019:2018::/96 dev nat64
[root@tayge ~]# yum install bind -y
[root@tayge ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.1.120; };
listen-on-v6 port 53 { 2222:1111::1;::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
forwarders { 202.96.134.133;114.114.114.114; };
dns64 2020:2019:2018::/96 {
clients { 2222:1111::/96;};
// mapped { !10/8;172.16/12; any; };
break-dnssec yes;
//exclude { 2020:2019:2018::/96; };
suffix :: ;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
[root@tayge ~]# systemctl start named
测试NAT64解析正常:
----------------------------------------
搭建完毕后,测试可以正常访问大多数网站和观看视频,只有部分网站有ipv6地址的可能异常,这跟DNS64解析回来的给的IPV6地址有关系。
----------------------------------------
异常网站域名解析如下,主要由于ipv6主机无法访问这些ipv6地址。
通过新加一台DNS服务器过滤掉域名解析中的对应的IPV6地址(搭建过程略):
[root@RT ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.1.109; }; #服务器ipv4地址
//listen-on-v6 port 53 { 2001:db8:20::1; ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
forwarders { 202.96.134.133;114.114.114.114; };
allow-query { any; };
filter-aaaa-on-v4 yes; #过滤ipv4客户端解析中的ipv6地址
//filter-aaaa-on-v6 yes;
//filter-aaaa-on-v4 break-dnssec;
//filter-aaaa-on-v6 break-dnssec;
测试发现只有ipv4地址返回:
[root@tayge ~]# nslookup
> server 192.168.1.109
Default server: 192.168.1.109
Address: 192.168.1.109#53
> www.qq.com
Server: 192.168.1.109
Address: 192.168.1.109#53
Non-authoritative answer:
www.qq.com canonical name = public-v6.sparta.mig.tencent-cloud.net.
Name: public-v6.sparta.mig.tencent-cloud.net
Address: 14.18.175.154
Name: public-v6.sparta.mig.tencent-cloud.net
Address: 113.96.232.215
> www.taobao.com
Server: 192.168.1.109
Address: 192.168.1.109#53
Non-authoritative answer:
www.taobao.com canonical name = www.taobao.com.danuoyi.tbcache.com.
Name: www.taobao.com.danuoyi.tbcache.com
Address: 113.96.109.100
Name: www.taobao.com.danuoyi.tbcache.com
Address: 113.96.109.101
将tayge中的DNS转发器指向192.168.1.109:
forwarders { 192.168.1.109; };
ipv6客户端测试解析正常:
-------------------------------------------------
这种方法可能不是最好的,我没有发现named.conf中的哪个参数可以直接过滤ipv6解析后,再将ipv4地址前加ipv6前缀。