NAT64/DNS64 dual stack probing

What DNS64 and NAT64 are intended for

DNS64 and NAT64 is a set of tools which when used together will allow IPv6-only clients to reach IPv4-only services. When this setup is used the intended way it will only be used to reach services which themselves do not support IPv6.

It is possible for clients to bypass the DNS64 step and use NAT64 to reach services on IPv4. When this is done the NAT64 cannot know if the service being accessed is truly an IPv4-only service. Sometimes clients which could have reached a service directly over IPv6 will instead connect through NAT64 to hide their true IP address.

Some NAT64 gateways wish to prevent this kind of access to dual-stack services as it is not what the NAT64 gateways are intended to be used for, and the traffic could be abusive. In order to block the traffic a NAT64 gateway would first need a way to detect that the IPv4 address is used for dual-stack services.

The probe algorithm

A dual stack probe algorithm involving the domain name of this site works as follows:

• A connection is opened to port 443 on the IPv4 address.
• A TLS handshake is performed sending a server name indication (SNI) with the name dual-stack-probe.nat64.dk
• The alternate name section of the certificate is parsed.
• If the alternate name section contain the exact IPv4 address being probed the algorithm terminates concluding the host is not fully dual-stack.
• If the alternate name section contains any IPv4-only domain name the algorithm terminates concluding the host is not fully dual-stack.
• From the alternate name section pick a single dual-stack domain name for which the resolved A records include the IPv4 address beign probed.
• Open a TLS connection to port 443 on one of the IPv6 addresses for this domain name and retrieve the certificate.
• If the certificates retrieved through IPv4 and IPv6 are identical the IPv4 address is declared to be a dual-stack host and future traffic through the NAT64 to that IPv4 address is denied.

If the probe algorithm fails in any way the algorithm assumes the host is not fully dual-stack and allow traffic. This is necessary to prevent accidental blocking of legitimate traffic.

Failures of the probe algorithm which will lead to NAT64 traffic being allowed include: Unable to open TCP connection to port 443, unable to complete TLS handshake, parse error in certificate, certificate doesn't contain the necessary information, the certificate didn't contain a dual-stack hostname resolving to the correct IPv4 address, the IPv4 and IPv6 addresses did not return the same certificate.

How to stop traffic from the NAT64

If you want to stop traffic from the NAT64 from reaching your IPv4 address you have to do as follows:

• Ensure all services hosted on your IPv4 address have full dual-stack support.
• Ensure port 443 is responding and understands TLS.
• Ensure you have a default certificate where the alternate name section contains at least one dual-stack domain name pointing to your IPv4 address.
• Ensure the alternate name section does not contain any IPv4-only domain names.
• Ensure the IPv6 address responds with the same certificate.

There is no guarantee that all NAT64 gateways support this scheme. And NAT64 gateways which do support it may take some time to execute the algorithm and put a block in place. During that time traffic can keep flowing through the NAT64 to your IPv4 address.

No affiliation

Clients sending queries with dual-stack-probe.nat64.dk in SNI does not prove that the client has any affiliation with this site. Anyone could produce such a query.

Use of that domain name by a client may be seen as a signal of intent to implement the algorithm described on this page. But anyone could due to a mistake or more sinister reasons be sending the domain name without intending to implement the algorithm described here.