Press "Enter" to skip to content

Let’s build DNS64 + NAT64

Published 17th April 2026 by anime4000

In this tutorial, we are going to create an IPv6 only network that is able to access IPv4 via NAT64 and DNS64 for synthesized A to AAAA

Requirement

  • Ubuntu 24.04 (BIOS mode)
  • VM with IPv4 and IPv6

Ensure your VM is already updated to the latest version, make sure that you don’t run Ubuntu with Secure Boot, because Jool kernel module is not signed.

Know your IP Address

root@hanako:~# ifconfig
ens18: flags=4675<UP,BROADCAST,RUNNING,ALLMULTI,MULTICAST>  mtu 1500
        inet 192.0.2.52  netmask 255.255.255.0  broadcast 192.0.2.255
        inet6 fe80::dead:ffff:feed:300  prefixlen 64  scopeid 0x20<link>
        inet6 2001:db8:1234:1234:dead:ffff:feed:300  prefixlen 64  scopeid 0x0<global>
        ether dc:ad:ff:ed:03:00  txqueuelen 1000  (Ethernet)
        RX packets 376283  bytes 110952126 (110.9 MB)
        RX errors 0  dropped 5587  overruns 0  frame 0
        TX packets 29863  bytes 21199923 (21.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Get ens18 we going to use it.

See 2001:db8:1234:1234:dead:ffff:feed:300 is your IPv6 address from RA, thus we need to split /64 as such:

2001:db8:1234:1234:b00b:feed:0:0

Keep 2001:db8:1234:1234 and create b00b:feed:0:0

You can use any address in green part, example face:beef:0:0

Install

apt install jool-dkms jool-tools unbound ndppd

Enable Kernel Features

echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

Activate

sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.ip_forward=1

Replace DNS

We are going to use unbound as DNS query, thus systemd-resolved need to be deactivated.

systemctl stop systemd-resolved
systemctl disable systemd-resolved

Setup unbound

nano /etc/unbound/unbound.conf.d/dns64.conf

Paste this (replace dns64-prefix with your address of choice)

server:
    interface: 0.0.0.0
    interface: ::0
    interface: 127.0.0.1
    interface: ::1
    access-control: 0.0.0.0/0 allow
    access-control: ::/0 allow

    do-ip6: yes
    do-ip4: yes

    module-config: "dns64 validator iterator"

    dns64-prefix: 2001:db8:1234:1234:b00b:feed::/96

forward-zone:
    name: "."
    forward-addr: 1.1.1.1@53
    forward-addr: 1.0.0.1@53

Restart unbound

systemctl restart unbound

Install Jool

modprobe jool
jool instance add nat64 --netfilter --pool6 2001:db8:1234:1234:b00b:feed::/96

Install ndppd

nano /etc/ndppd.conf

Paste this

route-ttl 30000
proxy ens18 {
    rule 2001:db8:1234:1234:b00b:feed::/96 {
        static
    }
}

iptables / nftables Rules

You need NAT for outbound IPv4:

iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE

Forwarding

 iptables -A FORWARD -j ACCEPT

Published in Networking

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.