Difference between revisions of "IPv6 DNS"

From Secure Computing Wiki
Jump to: navigation, search
m (Reverted edits by Esubiguxoc (talk) to last revision by Ecrist)
Line 1: Line 1:
----
 
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
 
----
 
=[http://ezapazuhem.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
 
----
 
=[http://ezapazuhem.co.cc CLICK HERE]=
 
----
 
</div>
 
 
'''This document assumes you already understand IPv4 DNS configuration.'''  This page will discuss implementation of BIND9 and IPv6 for Domain Name Resolution.  If you'd like to contribute, please let me know, and we'll get you an account.  I only use BIND, but I'm sure others use the other options out there.
 
'''This document assumes you already understand IPv4 DNS configuration.'''  This page will discuss implementation of BIND9 and IPv6 for Domain Name Resolution.  If you'd like to contribute, please let me know, and we'll get you an account.  I only use BIND, but I'm sure others use the other options out there.
  
Line 15: Line 7:
  
 
Here is the IPv6 record for www.secure-computing.net:
 
Here is the IPv6 record for www.secure-computing.net:
&lt;pre>
+
<pre>
 
www                    IN AAAA        2001:4980:1:111::150
 
www                    IN AAAA        2001:4980:1:111::150
&lt;/pre>
+
</pre>
  
 
It's really as simple as that!
 
It's really as simple as that!
Line 25: Line 17:
 
Reverse DNS resolution is a little different animal from IPv4.  There's a new provision for delegation of reverse DNS, due to the '''HUGE''' number of IP addresses a single network is allocated. 18,446,744,073,709,551,615 IP addresses huge.  I'm not sure about your needs, but that's more than I'm, personally, going to need.  To put that in perspective, that is 18 quitrillion, 446 quadrillion, 774 trillion, 73 billion, 709 million, 551 thousand, 615 IP addresses.  That, for one single network, is actually enough IPs for every person in the world to have 2,837,960,626.  Hrm, two '''BILLION''' addresses each.  That's a lot.  For the record, a /64 in IPv6 is the smallest allocation of IP addresses per the protocol.  That's quite a few for your ISP to worry about if you want proper reverse DNS.
 
Reverse DNS resolution is a little different animal from IPv4.  There's a new provision for delegation of reverse DNS, due to the '''HUGE''' number of IP addresses a single network is allocated. 18,446,744,073,709,551,615 IP addresses huge.  I'm not sure about your needs, but that's more than I'm, personally, going to need.  To put that in perspective, that is 18 quitrillion, 446 quadrillion, 774 trillion, 73 billion, 709 million, 551 thousand, 615 IP addresses.  That, for one single network, is actually enough IPs for every person in the world to have 2,837,960,626.  Hrm, two '''BILLION''' addresses each.  That's a lot.  For the record, a /64 in IPv6 is the smallest allocation of IP addresses per the protocol.  That's quite a few for your ISP to worry about if you want proper reverse DNS.
  
All of that being said, your ISP is probably more than willing to delegate reverse DNS to your servers.  IPv6 delegates based on &lt;i>nibbles&lt;/i>.  Without getting into too much detail, let's break it down a bit.
+
All of that being said, your ISP is probably more than willing to delegate reverse DNS to your servers.  IPv6 delegates based on <i>nibbles</i>.  Without getting into too much detail, let's break it down a bit.
  
 
=== Brief IP Explanation ===  
 
=== Brief IP Explanation ===  
Line 32: Line 24:
 
=== Dirty Work ===
 
=== Dirty Work ===
 
We're going to build the secure-computing.net reverse DNS file, and I'll do my best to explain as we go.
 
We're going to build the secure-computing.net reverse DNS file, and I'll do my best to explain as we go.
&lt;ol>
+
<ol>
&lt;li>
+
<li>
 
First, you need to put all the file header information that exists in an IPv4 file, such as '''ORIGIN''', '''TTL''', and other timeouts.  The '''$ORIGIN''' portion should be the part of your IPv6 block that describes your network.  If you've been assigned a /64, it will be the first 16 numbers, expanded, of your entire IPv6 address.  Secure Computing Networks has been assigned 2001:4980:1:0111/64, so our $ORIGIN will be 1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.  Note that .ip6.arpa is appended to the end of all IPv6 reverse IPs:
 
First, you need to put all the file header information that exists in an IPv4 file, such as '''ORIGIN''', '''TTL''', and other timeouts.  The '''$ORIGIN''' portion should be the part of your IPv6 block that describes your network.  If you've been assigned a /64, it will be the first 16 numbers, expanded, of your entire IPv6 address.  Secure Computing Networks has been assigned 2001:4980:1:0111/64, so our $ORIGIN will be 1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.  Note that .ip6.arpa is appended to the end of all IPv6 reverse IPs:
&lt;pre>
+
<pre>
 
$ORIGIN 1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.
 
$ORIGIN 1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.
 
$TTL    86400
 
$TTL    86400
Line 45: Line 37:
 
                                 1209600 ; Expire
 
                                 1209600 ; Expire
 
                                 7200 )  ; Minimum TTL
 
                                 7200 )  ; Minimum TTL
&lt;/pre>
+
</pre>
&lt;/li>&lt;li>
+
</li><li>
 
Next, I add a few comments so that, as I'm typing, I can remember my IP block and $ORIGIN:
 
Next, I add a few comments so that, as I'm typing, I can remember my IP block and $ORIGIN:
&lt;pre>
+
<pre>
  
 
; 2001:4980:1:111::/64
 
; 2001:4980:1:111::/64
 
;  1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.
 
;  1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.
  
&lt;/pre>
+
</pre>
&lt;/li>&lt;li>
+
</li><li>
 
At this point, we can start adding our static reverse definitions.  These should be in the same nibble format we've already been discussing.  Similar to IPv4, you'll use the PTR record type, followed by your host name.  '''REMEMBER to add the trailing period to the end of your host name, or it WILL NOT work!'''
 
At this point, we can start adding our static reverse definitions.  These should be in the same nibble format we've already been discussing.  Similar to IPv4, you'll use the PTR record type, followed by your host name.  '''REMEMBER to add the trailing period to the end of your host name, or it WILL NOT work!'''
  
 
To construct your record, you need to put, in reverse order, the remaining digits of your version 6 address.  Using our example for www.secure-computing.net of 2001:4980:1:111::150, we reverse that into nibbles as:
 
To construct your record, you need to put, in reverse order, the remaining digits of your version 6 address.  Using our example for www.secure-computing.net of 2001:4980:1:111::150, we reverse that into nibbles as:
&lt;pre>0.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2&lt;/pre>
+
<pre>0.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2</pre>
 
To make things easier, we simply remove the ORIGIN portion of that address, giving us:
 
To make things easier, we simply remove the ORIGIN portion of that address, giving us:
&lt;pre>0.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0&lt;/pre>
+
<pre>0.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0</pre>
  
 
Our records, then, will appear as so:
 
Our records, then, will appear as so:
&lt;pre>
+
<pre>
 
...
 
...
 
4.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR    core.ip6.secure-computing.net.
 
4.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR    core.ip6.secure-computing.net.
Line 71: Line 63:
 
8.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR    snort.ip6.secure-computing.net.
 
8.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR    snort.ip6.secure-computing.net.
 
...
 
...
&lt;/pre>
+
</pre>
*&lt;i>Note: The ... lines above simply indicate that there are more records before, and more records after.  This is simply an excerpt from our configuration file to give you an idea as to your format.&lt;/i>
+
*<i>Note: The ... lines above simply indicate that there are more records before, and more records after.  This is simply an excerpt from our configuration file to give you an idea as to your format.</i>
&lt;/li>&lt;li>
+
</li><li>
  
 
At this point, you should be able to save, restart your BIND9 server, and, provided reverse DNS has been delegated to your servers, resolve your reverse DNS.   
 
At this point, you should be able to save, restart your BIND9 server, and, provided reverse DNS has been delegated to your servers, resolve your reverse DNS.   
&lt;/li>&lt;/ol>
+
</li></ol>
 
=== Conclusion ===
 
=== Conclusion ===
There is much more to learn about reverse DNS&lt;strike>, such as '''$GENERATE''' records, but I don't even know how to do that, yet.&lt;/strike>  As it turns out, BIND $GENERATE statements don't work very well with IPv6.  Basically, delegation is key, and you only have reverse lookup for systems that you care about having reverse lookup for.   
+
There is much more to learn about reverse DNS<strike>, such as '''$GENERATE''' records, but I don't even know how to do that, yet.</strike>  As it turns out, BIND $GENERATE statements don't work very well with IPv6.  Basically, delegation is key, and you only have reverse lookup for systems that you care about having reverse lookup for.   
  
 
A email from someone I'd consider knowledgeable:
 
A email from someone I'd consider knowledgeable:
&lt;pre>
+
<pre>
 
On Thu, Sep 20, 2007 at 08:10:30PM -0500, Eric F Crist wrote:
 
On Thu, Sep 20, 2007 at 08:10:30PM -0500, Eric F Crist wrote:
 
>With my reverse DNS for my IPv6 block, you mentioned that I could use   
 
>With my reverse DNS for my IPv6 block, you mentioned that I could use   
Line 94: Line 86:
  
 
--  
 
--  
Doug McIntyre                            &lt;nospam@address.com>
+
Doug McIntyre                            <nospam@address.com>
 
           -- ipHouse/Goldengate/Bitstream/ProNS --  
 
           -- ipHouse/Goldengate/Bitstream/ProNS --  
 
       Network Engineer/Provisioning/Jack of all Trades
 
       Network Engineer/Provisioning/Jack of all Trades
&lt;/pre>
+
</pre>

Revision as of 17:43, 26 November 2010

This document assumes you already understand IPv4 DNS configuration. This page will discuss implementation of BIND9 and IPv6 for Domain Name Resolution. If you'd like to contribute, please let me know, and we'll get you an account. I only use BIND, but I'm sure others use the other options out there.

Forward Resolution

Forward DNS resolution with IPv6 isn't any different from IPv4, apart from the record type in your zone configuration file. We aren't going to discuss full DNS configuration, as we're assuming understanding of the BIND9 configuration of at least IPv4 forward resolution.

To create an IPv6 forward resolution record, use record type AAAA. If you've been browsing around the internet, you've probably seen mention of A6 records. These have been deprecated in favor of a standard of AAAA records.

Here is the IPv6 record for www.secure-computing.net:

www                     IN AAAA         2001:4980:1:111::150

It's really as simple as that!

Reverse Resolution

Overview

Reverse DNS resolution is a little different animal from IPv4. There's a new provision for delegation of reverse DNS, due to the HUGE number of IP addresses a single network is allocated. 18,446,744,073,709,551,615 IP addresses huge. I'm not sure about your needs, but that's more than I'm, personally, going to need. To put that in perspective, that is 18 quitrillion, 446 quadrillion, 774 trillion, 73 billion, 709 million, 551 thousand, 615 IP addresses. That, for one single network, is actually enough IPs for every person in the world to have 2,837,960,626. Hrm, two BILLION addresses each. That's a lot. For the record, a /64 in IPv6 is the smallest allocation of IP addresses per the protocol. That's quite a few for your ISP to worry about if you want proper reverse DNS.

All of that being said, your ISP is probably more than willing to delegate reverse DNS to your servers. IPv6 delegates based on nibbles. Without getting into too much detail, let's break it down a bit.

Brief IP Explanation

With reverse DNS, IPs are written in reverse order, so 209.240.66.150 is 150.66.240.209.in-addr.arpa. In this case, things are broken up by the octet, or by each . in the address. With IPv6, things are broken up into each byte. This means an IP address of 2001:4980:1:111::150 is expanded and written out as: 0.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2. There's a distinct difference here, between version 4 and version 6. With version 4, you can only delegate reverse DNS by the class C block, and it's delegated by ARIN (or whomever your local authority is). With IPv6, I can delegate a single IP's reverse DNS. AKA nibble.  :)

Dirty Work

We're going to build the secure-computing.net reverse DNS file, and I'll do my best to explain as we go.

  1. First, you need to put all the file header information that exists in an IPv4 file, such as ORIGIN, TTL, and other timeouts. The $ORIGIN portion should be the part of your IPv6 block that describes your network. If you've been assigned a /64, it will be the first 16 numbers, expanded, of your entire IPv6 address. Secure Computing Networks has been assigned 2001:4980:1:0111/64, so our $ORIGIN will be 1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa. Note that .ip6.arpa is appended to the end of all IPv6 reverse IPs:
    $ORIGIN 1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.
    $TTL    86400
    
    @       IN      SOA pri-ns.secure-computing.net. domain-services.secure-computing.net.  (
                                    2007070501      ; Serial
                                    3600    ; Refresh
                                    3600    ; Retry
                                    1209600 ; Expire
                                    7200 )  ; Minimum TTL
    
  2. Next, I add a few comments so that, as I'm typing, I can remember my IP block and $ORIGIN:

    
    ; 2001:4980:1:111::/64
    ;  1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.
    
    
  3. At this point, we can start adding our static reverse definitions. These should be in the same nibble format we've already been discussing. Similar to IPv4, you'll use the PTR record type, followed by your host name. REMEMBER to add the trailing period to the end of your host name, or it WILL NOT work!

    To construct your record, you need to put, in reverse order, the remaining digits of your version 6 address. Using our example for www.secure-computing.net of 2001:4980:1:111::150, we reverse that into nibbles as:

    0.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2

    To make things easier, we simply remove the ORIGIN portion of that address, giving us:

    0.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0

    Our records, then, will appear as so:

    ...
    4.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     core.ip6.secure-computing.net.
    5.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     ghost.ip6.secure-computing.net.
    6.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     gimp.ip6.secure-computing.net.
    7.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     chunk.ip6.secure-computing.net.
    8.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     snort.ip6.secure-computing.net.
    ...
    
    • Note: The ... lines above simply indicate that there are more records before, and more records after. This is simply an excerpt from our configuration file to give you an idea as to your format.
  4. At this point, you should be able to save, restart your BIND9 server, and, provided reverse DNS has been delegated to your servers, resolve your reverse DNS.

Conclusion

There is much more to learn about reverse DNS, such as $GENERATE records, but I don't even know how to do that, yet. As it turns out, BIND $GENERATE statements don't work very well with IPv6. Basically, delegation is key, and you only have reverse lookup for systems that you care about having reverse lookup for.

A email from someone I'd consider knowledgeable:

On Thu, Sep 20, 2007 at 08:10:30PM -0500, Eric F Crist wrote:
>With my reverse DNS for my IPv6 block, you mentioned that I could use  
>the ISC BIND $GENERATE statement.  Can you give me a brief example?   
>There is zero documentation relative to IPv6 available.  Kind of  
>surprising.

I probably misspoke that time then. $GENERATE isn't too useful for IPv6. 

It does a very simple variable/text substitution, it has no provisions in
it to generate the numbers involved in IPv6 IP addresses. 

-- 
Doug McIntyre                            <nospam@address.com>
          -- ipHouse/Goldengate/Bitstream/ProNS -- 
       Network Engineer/Provisioning/Jack of all Trades