Maintained by: NLnet Labs

[Unbound-users] DNS64 patch for Unbound

Carsten Strotmann
Mon Jun 30 15:20:52 CEST 2014

Hello Wouter,

W.C.A. Wijngaards writes:
> Is NAT64 considered this important?  We would be happy to incorporate
> the patch if this is considered useful to many users.  NAT64 for DNS
> does involve allowing others to inject new addresses in a new netblock
> for arbitrary names, and as such carries a little bit of security
> considerations.  So, I would hesitate to enable this by default.  But
> the option could certainly be useful, as we would like to help the
> IPv4 to IPv6 transition.  What do other users think about this?

I see DNS64/NAT64 as a tool to reduce complexity in the IPv4->IPv6
transition phase by removing the need to run full dual stack in order to
reach legacy IPv4 resources in the Internet. 

With DNS64 networks can go IPv6 native and use DNS64/NAT64 to access old
IPv4 stuff.

Deployments of DNS64 at larger conferences such as FOSDEM, RIPE and
Cisco Live have shown that the techology is mature and works for most

DNS64 should not be enabled by default in Unbound (it requires local
configuration anyway), but it should be either a configuration switch or
a compile-time option (I would vote for a configuration switch. If it is
a compile-time option, the distributions will enable it anyway).

The DNS64 configuration options in BIND 9 work fine and could be a
template for Unbound.

I would be happy to see DNS64 support in Unbound and would be willing to

Carsten Strotmann
Email: cas at