How to Set Up IPv6-Only Networks with NAT64/DNS64

The world is rapidly running out of IPv4 addresses, making IPv6 adoption no longer optional but essential for organizations looking to future-proof their networks. Many IT teams are moving toward IPv6-only deployments, which simplify internal management and enhance network scalability.

However, a challenge arises: most of the internet still relies heavily on IPv4. To ensure IPv6-only clients can communicate with IPv4 servers, organizations implement NAT64 and DNS64, technologies that bridge the protocol gap without requiring dual-stack configurations.

In this guide, I’ll share a step-by-step approach, real-world insights, and best practices for deploying NAT64 and DNS64 in enterprise environments.

Understanding NAT64 and DNS64

NAT64: Translating IPv6 to IPv4

Network Address Translation 64 (NAT64) enables IPv6-only devices to access IPv4 resources.

• It converts IPv6 packets into IPv4 packets and vice versa.
• Functions similarly to traditional IPv4 NAT but specifically targets IPv6-to-IPv4 traffic.
• Allows organizations to eliminate IPv4 internally while still reaching IPv4-dependent services.

DNS64: Synthesizing IPv6 Addresses

DNS64 complements NAT64 by synthesizing AAAA records from IPv4 A records.

• When an IPv6-only client queries a domain that only has an IPv4 address, DNS64 generates a corresponding IPv6 address.
• This synthesized IPv6 address points to the NAT64 gateway, ensuring the traffic is correctly routed.

Together, DNS64 and NAT64 provide seamless access for IPv6-only clients to IPv4 services, creating a transparent bridge between the two protocol worlds.

Why IPv6-Only with NAT64/DNS64 Matters

Deploying an IPv6-only network with NAT64/DNS64 provides several advantages:

1. Future-Proofing: Reduces reliance on dwindling IPv4 addresses and prepares your network for the inevitable IPv6-only internet.
2. Simplified Management: Only a single protocol (IPv6) needs to be managed internally, which reduces complexity.
3. IPv4 Conservation: Organizations no longer need to maintain large pools of IPv4 addresses for internal services.
4. Compatibility: IPv6-only clients can still reach IPv4-only resources, ensuring uninterrupted operations.
5. Enhanced Security: NAT64 gateways can act as controlled exit points, providing better visibility and filtering opportunities for IPv4 traffic.

Real-world insight: In one enterprise deployment, moving to IPv6-only with NAT64 reduced internal dual-stack complexity by 40%, simplified firewall policies, and eliminated the need for IPv4 address expansion.

Network Design Overview

A typical IPv6-only deployment using NAT64/DNS64 includes:

• IPv6-only clients: Workstations, servers, IoT devices.
• DNS64 server: Synthesizes AAAA records from IPv4-only services.
• NAT64 gateway: Handles protocol translation between IPv6 and IPv4.
• IPv4 resources: Both internal legacy systems and external internet resources.

Flow of traffic:

1. IPv6-only client queries DNS64 for a service.
2. DNS64 generates a synthesized IPv6 address pointing to NAT64.
3. Traffic passes through NAT64, which translates it to IPv4.
4. IPv4 server responds; NAT64 translates the response back to IPv6.

Step-by-Step Setup

Step 1: Enable IPv6 on Clients and Network

• Ensure all client devices, routers, and switches support IPv6.
• Disable unnecessary IPv4 configuration if moving to a strict IPv6-only environment.

Tip from experience: Some legacy applications still rely on IPv4. Conduct thorough application testing before disabling IPv4 completely.

Step 2: Deploy a DNS64 Server

Modern DNS servers that support DNS64 include BIND, Unbound, and Windows DNS Server.

Example BIND configuration:

options {
    dns64 64:ff9b::/96 {
        clients { any; };
        exclude { ::ffff:0.0.0.0/96; };
    };
};

• The 64:ff9b::/96 prefix is reserved for NAT64 translation.
• DNS64 will synthesize IPv6 AAAA records for IPv4-only domains.

Tip: Deploy at least two DNS64 servers for redundancy and high availability.

Step 3: Configure a NAT64 Gateway

Popular NAT64 implementations include TAYGA (Linux), Jool (Linux), or enterprise router solutions.

TAYGA configuration example:

# /etc/tayga.conf
tun-device nat64
ipv4-addr 192.0.2.1
prefix 64:ff9b::/96
dynamic-pool 192.0.2.0/24

• Start the NAT64 service and configure routing to direct IPv6 traffic through it.

Real-world insight: In high-traffic environments, hardware-based NAT64 can improve performance and reduce translation latency compared to software solutions.

Step 4: Update Routing and Firewall Rules

• Configure IPv6 clients to use the DNS64 server as their resolver.
• Ensure NAT64 can route traffic to both IPv6 clients and IPv4 destinations.
• Adjust firewall policies to allow traffic through NAT64 while maintaining security posture.

Step 5: Test the Setup

From an IPv6-only client:

ping ipv4.google.com

• The DNS64 server should synthesize an IPv6 address.
• NAT64 will translate packets to IPv4, and the connection should succeed.

Expert tip: Test a variety of services (HTTP, HTTPS, SSH) to ensure translation works consistently for all application types.

Best Practices for NAT64/DNS64 Deployment

1. Use the well-known prefix 64:ff9b::/96 unless you have a specific need for custom NAT64 prefixes.
2. Deploy redundant DNS64 servers for resilience and load balancing.
3. Monitor NAT64 translation logs to track frequently accessed IPv4 resources and detect anomalies.
4. Educate users and IT teams about IPv6 transition and potential issues with legacy applications.
5. Plan a phased migration: Start with lab testing → pilot deployment → full enterprise rollout.
6. Document your network topology and configurations to simplify troubleshooting and audits.

Advantages and Limitations

Advantages

• Seamless IPv6-to-IPv4 communication.
• Reduces dependency on scarce IPv4 addresses.
• Enables organizations to simplify internal networks and prepare for IPv6 adoption.

Limitations

• Applications that embed IPv4 addresses directly (e.g., hardcoded literals) may not work.
• Translation introduces slight latency and overhead.
• Requires careful monitoring to maintain performance and security.

Pro tip: Pair NAT64/DNS64 with IPv6 transition monitoring tools to detect slow or failed translations, particularly for critical applications.

Conclusion

Deploying IPv6-only networks with NAT64 and DNS64 is a strategic step toward future-proofing enterprise networks. While dual-stack networks remain common today, NAT64/DNS64 enables IT teams to simplify internal infrastructure without losing connectivity to IPv4 services.

From my professional experience, organizations that adopt this approach see:

• Reduced operational complexity by managing a single protocol internally.
• Improved security and visibility through centralized NAT64 gateways.
• Easier IPv6 adoption across devices, applications, and services.

Careful planning, configuration, and monitoring ensure a smooth transition while maintaining compatibility with legacy IPv4 resources. IPv6 is not just the future—it’s here today, and NAT64/DNS64 is the bridge that makes it practical for modern enterprises.

Daniel Lutton

From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.