How to Configure DNS for IPv6-Only Nameservers

IPv6-only DNS nameservers are becoming increasingly important as networks transition away from IPv4. Whether you're setting up an IPv6-only network, testing IPv6 connectivity, or preparing for IPv4 deprecation, configuring your system to use IPv6-only DNS resolvers is a critical skill. This comprehensive guide covers configuration across all major operating systems and explains the technical considerations for IPv6-only DNS deployment.

Table of Contents

• Understanding IPv6-Only DNS
• Popular IPv6-Only DNS Resolvers
• Configuring IPv6-Only DNS on Windows
• Configuring IPv6-Only DNS on macOS
• Configuring IPv6-Only DNS on Linux
• DNS64 for IPv6-Only Networks
• Verifying Your Configuration
• Troubleshooting Common Issues
• Best Practices

Understanding IPv6-Only DNS

IPv6-only DNS nameservers accept queries exclusively over IPv6 connections. Unlike dual-stack DNS servers that respond to both IPv4 and IPv6 queries, IPv6-only nameservers require your device to have working IPv6 connectivity.

Key Concepts

AAAA Records: The IPv6 equivalent of IPv4 "A" records, AAAA records map domain names to 128-bit IPv6 addresses.

DNS64: A special DNS function that synthesizes IPv6 addresses (AAAA records) from IPv4 addresses (A records) when no native IPv6 address exists. This enables IPv6-only clients to access IPv4-only services through NAT64 gateways.

NAT64: A network address translation mechanism that works in conjunction with DNS64 to enable IPv6-only clients to communicate with IPv4-only servers.

When to Use IPv6-Only DNS

• IPv6-only networks: Networks that have disabled IPv4 entirely
• Testing and validation: Verifying that your applications work correctly with IPv6-only infrastructure
• Performance optimization: On networks with superior IPv6 connectivity, IPv6-only DNS may provide lower latency
• Future-proofing: Preparing for eventual IPv4 deprecation in your network

Prerequisites

Before configuring IPv6-only DNS nameservers, ensure:

1. Your device has IPv6 connectivity: Use ping -6 ipv6.google.com to verify
2. Your network supports IPv6: Check with your ISP or network administrator
3. Your router provides IPv6 addressing: Via SLAAC (Stateless Address Autoconfiguration) or DHCPv6
4. You understand the implications: IPv6-only DNS cannot resolve queries over IPv4

Popular IPv6-Only DNS Resolvers

While most public DNS providers offer dual-stack resolvers, several provide dedicated IPv6-only addresses. Here are the most popular options:

Google Public DNS (IPv6)

• Primary: 2001:4860:4860::8888
• Secondary: 2001:4860:4860::8844
• Features: Fast, reliable, supports DNSSEC, DoH, and DoT
• Privacy: Logs queries temporarily for security and performance

Google Public DNS64

• Primary: 2001:4860:4860::6464
• Secondary: 2001:4860:4860::64
• Features: DNS64 support for IPv6-only networks accessing IPv4 services
• Use case: IPv6-only clients that need to reach IPv4-only destinations

Cloudflare DNS (IPv6)

• Primary: 2606:4700:4700::1111
• Secondary: 2606:4700:4700::1001
• Features: Privacy-focused, fastest DNS globally (per DNSPerf 2025), supports DoH and DoT
• Privacy: Does not log personally identifiable information

OpenDNS (IPv6)

• Primary: 2620:119:35::35
• Secondary: 2620:119:53::53
• Features: Content filtering, phishing protection, customizable security policies
• Use case: Family-safe browsing and business security

Quad9 (IPv6)

• Primary: 2620:fe::fe
• Secondary: 2620:fe::9
• Features: Malware and phishing protection, privacy-respecting
• Privacy: Does not log IP addresses

Comparison Table

Provider	Primary IPv6 Address	DNS64	Privacy Focus	DNSSEC	DoH/DoT
Google DNS	2001:4860:4860::8888	No	Moderate	Yes	Yes
Google DNS64	2001:4860:4860::6464	Yes	Moderate	Yes	Yes
Cloudflare	2606:4700:4700::1111	Via separate service	High	Yes	Yes
OpenDNS	2620:119:35::35	No	Moderate	Yes	Yes
Quad9	2620:fe::fe	No	High	Yes	Yes

Note: DNS64 resolvers are specifically designed for IPv6-only networks that need to access IPv4-only services. Use regular IPv6 DNS for dual-stack or IPv6-only environments.

Configuring IPv6-Only DNS on Windows

Windows 10, Windows 11, and Windows Server fully support IPv6 DNS configuration through both GUI and command-line methods.

Method 1: Using the GUI (Windows 10/11)

Step 1: Open Network Settings

1. Press Win + I to open Settings
2. Navigate to Network & Internet
3. Click Advanced network settings
4. Click More network adapter options (or search "View Network Connections")

Step 2: Configure IPv6 DNS

1. Right-click your network adapter (e.g., "Wi-Fi" or "Ethernet")
2. Select Properties
3. Select Internet Protocol Version 6 (TCP/IPv6)
4. Click Properties
5. Select Use the following DNS server addresses
6. Enter your IPv6-only DNS servers:
   • Preferred DNS server: 2001:4860:4860::8888 (Google)
   • Alternate DNS server: 2001:4860:4860::8844 (Google)
7. Click OK, then Close

Important: Ensure IPv6 is enabled on your adapter (the checkbox should be checked).

Method 2: Using PowerShell (Recommended)

PowerShell provides powerful scripting capabilities for DNS configuration.

Set IPv6-only DNS servers:

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "2001:4860:4860::8888","2001:4860:4860::8844"

Replace "Ethernet" with your adapter name. To find your adapter name:

Get-NetAdapter

Set Cloudflare IPv6 DNS:

Set-DnsClientServerAddress -InterfaceAlias "Wi-Fi" -ServerAddresses "2606:4700:4700::1111","2606:4700:4700::1001"

Set Google DNS64 for IPv6-only networks:

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "2001:4860:4860::6464","2001:4860:4860::64"

View current IPv6 DNS configuration:

Get-DnsClientServerAddress -InterfaceAlias "Ethernet" -AddressFamily IPv6

Reset to automatic DNS (DHCP):

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ResetServerAddresses

Flush DNS cache after changes:

Clear-DnsClientCache

Or use the classic command:

ipconfig /flushdns

Method 3: Using Command Prompt (netsh)

For compatibility with older Windows versions or scripts:

netsh interface ipv6 set dns "Ethernet" static 2001:4860:4860::8888
netsh interface ipv6 add dns "Ethernet" 2001:4860:4860::8844 index=2

View DNS configuration:

netsh interface ipv6 show dns

Delete DNS servers:

netsh interface ipv6 delete dns "Ethernet" all

Windows-Specific Considerations

Priority Settings: Windows prefers IPv6 over IPv4 by default. When both A and AAAA records exist, Windows will use the IPv6 address.

Domain Controllers: If you're configuring DNS on Windows Server domain controllers, never use link-local addresses (::1 or fe80::). Always configure global unicast IPv6 addresses for DNS servers.

Dual-Stack Behavior: If you configure only IPv6 DNS servers, Windows will still attempt IPv4 DNS queries over IPv4 connectivity if available. To ensure IPv6-only DNS, disable IPv4 DNS or disable IPv4 entirely.

Configuring IPv6-Only DNS on macOS

macOS provides excellent IPv6 support with configuration options through System Settings and command-line tools.

Method 1: Using System Settings (macOS Ventura and later)

Step 1: Open Network Settings

1. Click the Apple menu () > System Settings
2. Click Network in the sidebar
3. Select your active network connection (Wi-Fi or Ethernet)
4. Click Details

Step 2: Configure DNS

1. Click the DNS tab
2. In the DNS Servers section, click the + button
3. Enter your first IPv6 DNS server: 2001:4860:4860::8888
4. Click + again and add: 2001:4860:4860::8844
5. Remove any IPv4 DNS servers if you want IPv6-only DNS
6. Click OK

For older macOS versions (Big Sur, Monterey):

The process is similar but accessed through System Preferences > Network > Select connection > Advanced > DNS tab.

Method 2: Using networksetup (Command Line)

The networksetup command provides scriptable DNS configuration.

Set IPv6-only DNS servers:

sudo networksetup -setdnsservers "Wi-Fi" 2001:4860:4860::8888 2001:4860:4860::8844

Replace "Wi-Fi" with your network service name. To find your network service names:

networksetup -listallnetworkservices

Set Cloudflare IPv6 DNS:

sudo networksetup -setdnsservers "Wi-Fi" 2606:4700:4700::1111 2606:4700:4700::1001

Set Google DNS64 for IPv6-only networks:

sudo networksetup -setdnsservers "Ethernet" 2001:4860:4860::6464 2001:4860:4860::64

View current DNS configuration:

networksetup -getdnsservers "Wi-Fi"

Reset to automatic DNS (DHCP):

sudo networksetup -setdnsservers "Wi-Fi" "Empty"

Flush DNS cache:

sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

Method 3: Editing Configuration Files (Advanced)

For more granular control, you can edit network configuration files directly, though this is not recommended for most users as macOS overwrites these files.

Temporary DNS override for testing:

Create or edit /etc/resolver/ files for specific domains. This method is primarily used for development and testing.

macOS-Specific Considerations

mDNSResponder: macOS uses mDNSResponder for DNS resolution, which handles both IPv4 and IPv6 queries intelligently.

Happy Eyeballs: macOS implements RFC 8305 (Happy Eyeballs v2), which means it will attempt both IPv4 and IPv6 connections simultaneously and use whichever responds first.

Privacy Extensions: macOS enables IPv6 privacy extensions by default, rotating IPv6 addresses periodically to enhance privacy.

VPN Considerations: Some VPNs may override your DNS settings. Check your VPN configuration if DNS isn't working as expected.

Configuring IPv6-Only DNS on Linux

Linux DNS configuration varies by distribution and network management system. Modern Linux distributions typically use NetworkManager, systemd-networkd, or systemd-resolved.

Method 1: Using NetworkManager (GUI)

Most desktop Linux distributions (Ubuntu, Fedora, Debian with GNOME/KDE) use NetworkManager.

GNOME/Ubuntu:

1. Click the network icon in the system tray
2. Select Settings or Network Settings
3. Click the gear icon next to your active connection
4. Navigate to the IPv6 tab
5. In the DNS field, enter IPv6 addresses separated by commas:

   2001:4860:4860::8888, 2001:4860:4860::8844
   

6. Set Automatic DNS to OFF if present
7. Click Apply

KDE Plasma:

1. Open System Settings > Connections
2. Select your network connection
3. Go to IPv6 tab
4. Set Method to Automatic (DHCP) addresses only or Manual
5. Add DNS servers in the DNS servers field
6. Click OK

Method 2: Using NetworkManager CLI (nmcli)

The nmcli tool provides powerful command-line control over NetworkManager.

List all connections:

nmcli connection show

Set IPv6-only DNS servers:

sudo nmcli connection modify "Wired connection 1" ipv6.dns "2001:4860:4860::8888 2001:4860:4860::8844"
sudo nmcli connection modify "Wired connection 1" ipv6.ignore-auto-dns yes
sudo nmcli connection up "Wired connection 1"

Replace "Wired connection 1" with your connection name from the first command.

Set Cloudflare IPv6 DNS:

sudo nmcli connection modify "Wired connection 1" ipv6.dns "2606:4700:4700::1111 2606:4700:4700::1001"
sudo nmcli connection modify "Wired connection 1" ipv6.ignore-auto-dns yes
sudo nmcli connection up "Wired connection 1"

Set Google DNS64:

sudo nmcli connection modify "Wired connection 1" ipv6.dns "2001:4860:4860::6464 2001:4860:4860::64"
sudo nmcli connection modify "Wired connection 1" ipv6.ignore-auto-dns yes
sudo nmcli connection up "Wired connection 1"

Set DNS priority (useful for dual-stack):

sudo nmcli connection modify "Wired connection 1" ipv6.dns-priority 10

Lower values have higher priority. This is useful when you have both IPv4 and IPv6 DNS configured.

View DNS configuration:

nmcli connection show "Wired connection 1" | grep dns

Reset to automatic DNS:

sudo nmcli connection modify "Wired connection 1" ipv6.ignore-auto-dns no
sudo nmcli connection modify "Wired connection 1" ipv6.dns ""
sudo nmcli connection up "Wired connection 1"

Method 3: Using systemd-resolved

Modern distributions like Ubuntu 18.04+ and Fedora use systemd-resolved for DNS management.

Check if systemd-resolved is active:

systemctl status systemd-resolved

Configure IPv6-only DNS globally:

Edit /etc/systemd/resolved.conf:

sudo nano /etc/systemd/resolved.conf

Add or modify these lines:

[Resolve]
DNS=2001:4860:4860::8888 2001:4860:4860::8844
FallbackDNS=2606:4700:4700::1111 2606:4700:4700::1001

Save and restart systemd-resolved:

sudo systemctl restart systemd-resolved

Configure per-network using .network files:

Create or edit a file in /etc/systemd/network/, e.g., /etc/systemd/network/20-wired.network:

[Match]
Name=eth0

[Network]
DHCP=yes
DNS=2001:4860:4860::8888
DNS=2001:4860:4860::8844

Restart systemd-networkd:

sudo systemctl restart systemd-networkd

View current DNS servers:

resolvectl status

Or:

systemd-resolve --status

Test DNS resolution:

resolvectl query google.com

Method 4: Direct /etc/resolv.conf Configuration (Legacy)

Warning: Many modern distributions manage /etc/resolv.conf automatically. Manual changes may be overwritten.

Check if resolv.conf is a symlink:

ls -l /etc/resolv.conf

If it's a symlink to /run/systemd/resolve/stub-resolv.conf or similar, use systemd-resolved methods instead.

For static configuration (if applicable):

sudo nano /etc/resolv.conf

Add:

nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

Make it immutable to prevent overwriting:

sudo chattr +i /etc/resolv.conf

To allow changes again:

sudo chattr -i /etc/resolv.conf

Method 5: Using netplan (Ubuntu Server 18.04+)

Ubuntu Server uses netplan for network configuration.

Edit netplan configuration:

sudo nano /etc/netplan/01-netcfg.yaml

Example configuration with IPv6-only DNS:

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp6: yes
      nameservers:
        addresses:
          - 2001:4860:4860::8888
          - 2001:4860:4860::8844

Apply configuration:

sudo netplan apply

Test configuration before applying:

sudo netplan try

This allows a 120-second testing period before automatically reverting.

Linux-Specific Considerations

Split DNS: NetworkManager and systemd-resolved support split DNS, where different DNS servers are used for different domains or connections.

DNS over TLS (DoT): Configure DoT in systemd-resolved:

sudo nano /etc/systemd/resolved.conf

Add:

[Resolve]
DNS=2001:4860:4860::8888#dns.google
DNSOverTLS=yes

DNS over HTTPS (DoH): Requires third-party tools like dnsproxy or cloudflared.

Flush DNS cache:

For systemd-resolved:

sudo resolvectl flush-caches

For nscd:

sudo systemctl restart nscd

DNS64 for IPv6-Only Networks

DNS64 is essential for IPv6-only networks that need to access IPv4-only services. It works by synthesizing IPv6 addresses (AAAA records) from IPv4 addresses (A records) using a special prefix.

How DNS64 Works

1. An IPv6-only client queries for an AAAA record (IPv6 address)
2. The DNS64 resolver checks if native AAAA records exist
3. If no AAAA records are found, it queries for A records (IPv4)
4. If A records exist, DNS64 synthesizes an IPv6 address by combining:
   • The Well-Known Prefix: 64:ff9b::/96
   • The 32-bit IPv4 address
5. The client receives the synthesized IPv6 address
6. Traffic is routed through a NAT64 gateway which translates to IPv4

Example

For ipv4only.example.com with A record 203.0.113.45:

• DNS64 synthesizes: 64:ff9b::cb00:712d (cb00:712d is 203.0.113.45 in hex)
• Client connects to this IPv6 address
• NAT64 gateway translates to IPv4 destination

Google Public DNS64 Configuration

Windows:

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "2001:4860:4860::6464","2001:4860:4860::64"

macOS:

sudo networksetup -setdnsservers "Wi-Fi" 2001:4860:4860::6464 2001:4860:4860::64

Linux (NetworkManager):

sudo nmcli connection modify "Wired connection 1" ipv6.dns "2001:4860:4860::6464 2001:4860:4860::64"
sudo nmcli connection modify "Wired connection 1" ipv6.ignore-auto-dns yes
sudo nmcli connection up "Wired connection 1"

DNS64 Requirements

Network Prerequisites:

1. Your network must have a NAT64 gateway configured
2. The NAT64 gateway should use the 64:ff9b::/96 prefix (Well-Known Prefix)
3. Your device must have IPv6 connectivity to the NAT64 gateway
4. IPv4 must be disabled or unavailable on the client

Application Requirements:

• Applications must be IPv6-aware and not hardcode IPv4 addresses
• Applications should use DNS for resolution, not IP literals
• DNSSEC-validating applications may reject synthesized addresses

DNS64 Limitations

DNSSEC Conflicts: DNS64 synthesizes responses, which violates DNSSEC's premise that responses haven't been modified. Many DNS64 implementations disable DNSSEC validation for synthesized records.

Hardcoded IPv4 Addresses: Applications that use hardcoded IPv4 addresses cannot work through DNS64/NAT64.

Performance: NAT64 translation adds latency compared to native IPv6 or IPv4 connections.

Protocol Compatibility: Some protocols that embed IP addresses in payloads (e.g., FTP, SIP) may not work correctly through NAT64.

Cloud Provider DNS64 Support

Google Cloud: Configure DNS64 server policies in Cloud DNS for IPv6-only subnets.

AWS: Use Route 53 Resolver with DNS64 support or run your own DNS64 server.

Azure: Configure DNS64 through Azure DNS Private Resolver.

Verifying Your Configuration

After configuring IPv6-only DNS, thorough testing ensures everything works correctly.

Quick Verification Commands

Windows:

# View DNS servers
Get-DnsClientServerAddress -AddressFamily IPv6

# Test DNS resolution
Resolve-DnsName -Name google.com -Type AAAA

# Query specific DNS server
Resolve-DnsName -Name google.com -Server 2001:4860:4860::8888

macOS:

# View DNS servers
scutil --dns | grep nameserver

# Test DNS resolution
dig google.com AAAA

# Query specific DNS server
dig @2001:4860:4860::8888 google.com AAAA

Linux:

# View DNS servers (systemd-resolved)
resolvectl status

# View DNS servers (traditional)
cat /etc/resolv.conf

# Test DNS resolution
dig google.com AAAA

# Query specific DNS server
dig @2001:4860:4860::8888 google.com AAAA

# Alternative: nslookup
nslookup -type=AAAA google.com

Advanced Testing

Test IPv6 connectivity to DNS server:

# Windows
ping -6 2001:4860:4860::8888

# macOS/Linux
ping6 2001:4860:4860::8888

Verify DNS queries are using IPv6:

Use tcpdump (Linux/macOS) or Wireshark (all platforms) to capture DNS traffic:

# Linux/macOS - requires sudo
sudo tcpdump -i any -n port 53 and ip6

Test specific record types:

# AAAA records (IPv6)
dig google.com AAAA

# A records (IPv4)
dig google.com A

# Any records
dig google.com ANY

Check DNS response time:

dig google.com AAAA | grep "Query time"

Test DNS64 synthesis (if using DNS64):

# Query an IPv4-only domain
dig @2001:4860:4860::6464 ipv4only.arpa AAAA

# You should receive a synthesized AAAA record with 64:ff9b:: prefix

Comprehensive IPv6 Testing

For complete validation of your IPv6 DNS and connectivity, visit test-ipv6.run.

This free online testing tool provides:

• IPv6 Connectivity Test: Verifies your device can reach IPv6-only services
• DNS Resolution Test: Confirms AAAA record lookups work correctly
• Dual-Stack Detection: Checks if both IPv4 and IPv6 are configured
• Latency Comparison: Measures IPv4 vs IPv6 response times
• Protocol Preference: Detects which protocol your browser prefers
• Comprehensive Scoring: Provides an IPv6 readiness score with recommendations

The test runs entirely in your browser and gives immediate feedback on whether your IPv6-only DNS configuration is working correctly.

Online Testing Tools

• test-ipv6.run: Comprehensive IPv6 connectivity and DNS testing (recommended)
• test-ipv6.com: Detailed IPv6 testing with visual indicators
• ipv6-test.com: Simple IPv6 connectivity check
• Google IPv6 Test: Search "Google IPv6 test" for Google's checker

DNS Leak Testing

Ensure DNS queries aren't leaking to unintended servers:

• dnsleaktest.com: Comprehensive DNS leak test
• ipleak.net: Tests DNS, IPv6, and WebRTC leaks

Troubleshooting Common Issues

Issue 1: No DNS Resolution After Configuration

Symptoms: Cannot resolve domain names, "DNS server not responding" errors

Diagnosis:

# Windows
nslookup google.com

# macOS/Linux
dig google.com

Solutions:

1. Verify IPv6 connectivity:

   # Windows
   ping -6 2001:4860:4860::8888
   
   # macOS/Linux
   ping6 2001:4860:4860::8888
   

   If this fails, you don't have IPv6 connectivity to the DNS server.

2. Check if IPv6 is enabled:

   # Windows
   Get-NetAdapterBinding -ComponentID ms_tcpip6
   
   # Linux
   ip -6 addr show
   

3. Flush DNS cache:

   # Windows
   ipconfig /flushdns
   
   # macOS
   sudo killall -HUP mDNSResponder
   
   # Linux (systemd-resolved)
   sudo resolvectl flush-caches
   

4. Restart network services:

   # Windows
   Restart-NetAdapter -Name "Ethernet"
   
   # macOS - turn Wi-Fi off and on in System Settings
   
   # Linux
   sudo systemctl restart NetworkManager
   

5. Check firewall rules: Ensure firewall allows outbound UDP port 53 over IPv6.

Issue 2: Slow DNS Resolution

Symptoms: Websites take several seconds to load initially, DNS timeouts

Diagnosis:

dig google.com AAAA | grep "Query time"

If query time exceeds 100ms consistently, DNS resolution is slow.

Solutions:

1. Test different DNS servers:

   # Test Google DNS
   dig @2001:4860:4860::8888 google.com | grep "Query time"
   
   # Test Cloudflare DNS
   dig @2606:4700:4700::1111 google.com | grep "Query time"
   

2. Check for IPv6 routing issues:

   # macOS/Linux
   traceroute6 2001:4860:4860::8888
   
   # Windows
   tracert -6 2001:4860:4860::8888
   

3. Configure faster DNS servers: Cloudflare (2606:4700:4700::1111) is often fastest per 2025 benchmarks.

4. Enable DNS caching:

   • Windows: DNS Client service (enabled by default)
   • macOS: mDNSResponder (automatic)
   • Linux: systemd-resolved or dnsmasq

Issue 3: IPv6-Only DNS Doesn't Work, IPv4 DNS Does

Symptoms: IPv4 DNS servers work fine, IPv6 DNS servers fail

Diagnosis:

# Test IPv6 DNS
dig @2001:4860:4860::8888 google.com

# Test IPv4 DNS
dig @8.8.8.8 google.com

Solutions:

1. Verify IPv6 Internet connectivity:

   # Windows
   ping -6 ipv6.google.com
   
   # macOS/Linux
   ping6 ipv6.google.com
   

   If this fails, your ISP or router doesn't provide IPv6 connectivity.

2. Check router IPv6 settings:

   • Ensure IPv6 is enabled on router
   • Verify IPv6 WAN connection is active
   • Check if router blocks IPv6 DNS (port 53)

3. Contact ISP: Many ISPs don't provide IPv6 by default. You may need to request it or enable it in your account settings.

4. Use dual-stack DNS temporarily: Configure both IPv4 and IPv6 DNS servers:

   # Windows - configure both protocols
   Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "8.8.8.8","8.8.4.4"
   

Issue 4: DNS64 Not Synthesizing IPv4 Addresses

Symptoms: Cannot reach IPv4-only websites from IPv6-only network

Diagnosis:

# Query IPv4-only domain through DNS64
dig @2001:4860:4860::6464 ipv4.google.com AAAA

Expected: Should return AAAA record with 64:ff9b:: prefix Actual: Returns no AAAA record or error

Solutions:

1. Verify NAT64 gateway exists: DNS64 requires a corresponding NAT64 gateway at 64:ff9b::/96.

   ping6 64:ff9b::8.8.8.8
   # This pings 8.8.8.8 through NAT64
   

2. Check if network supports NAT64: Contact network administrator. DNS64 without NAT64 won't work.

3. Use correct DNS64 resolver: Google Public DNS64: 2001:4860:4860::6464 and 2001:4860:4860::64

4. Verify application is IPv6-aware: Applications with hardcoded IPv4 addresses won't work through DNS64.

Issue 5: Configuration Doesn't Persist After Reboot

Symptoms: DNS settings revert to default after restart

Solutions:

Windows:

• Ensure you're using static DNS, not "Obtain DNS server address automatically"
• Check if Group Policy or network profile is overriding settings
• For corporate networks, check with IT department

macOS:

• Verify DNS is set in Network preferences, not via command line only
• Check if VPN or other profile is overriding DNS
• Some managed Macs may enforce DNS via MDM profiles

Linux:

# NetworkManager - ensure ignore-auto-dns is set
sudo nmcli connection modify "Wired connection 1" ipv6.ignore-auto-dns yes

# systemd-resolved - edit config file
sudo nano /etc/systemd/resolved.conf

# netplan - ensure configuration is in /etc/netplan/

Issue 6: DNSSEC Validation Failures

Symptoms: DNSSEC-enabled domains fail to resolve

Diagnosis:

dig +dnssec google.com

Solutions:

1. Disable DNSSEC validation:

   Note: This reduces security. Only do this if necessary.

   systemd-resolved:

   sudo nano /etc/systemd/resolved.conf
   

   Set:

   [Resolve]
   DNSSEC=no
   

2. Use DNS servers with proper DNSSEC support: Google DNS and Cloudflare both support DNSSEC correctly.

3. For DNS64 users: DNS64 may conflict with DNSSEC. This is a known limitation.

Issue 7: VPN Overrides DNS Settings

Symptoms: DNS settings work until VPN connects, then revert

Solutions:

1. Configure VPN to not override DNS: Check VPN client settings for "Use VPN DNS servers" option and disable it.

2. Use VPN-provided IPv6 DNS: Many VPNs provide their own IPv6 DNS servers. Use those instead.

3. Set DNS priority higher:

   # Linux
   sudo nmcli connection modify "Wired connection 1" ipv6.dns-priority 5
   sudo nmcli connection modify "VPN" ipv6.dns-priority 10
   

   Lower values have higher priority.

4. Use split-tunnel VPN: Configure VPN to only route specific traffic, not all DNS.

Best Practices

General Recommendations

1. Always configure at least two DNS servers for redundancy:

   Primary: 2001:4860:4860::8888
   Secondary: 2606:4700:4700::1111
   

2. Test thoroughly before deploying to production networks or critical systems.

3. Monitor DNS performance regularly to detect issues early.

4. Keep DNS configuration documented, especially in enterprise environments.

5. Use DNS over TLS (DoT) or DNS over HTTPS (DoH) for privacy when supported:

   • systemd-resolved supports DoT natively
   • Windows 11 supports DoH
   • macOS supports DoH via third-party tools

Security Best Practices

1. Use DNSSEC-validating resolvers when possible (Google DNS, Cloudflare).

2. Avoid untrusted DNS servers - stick to reputable public DNS providers.

3. Monitor for DNS hijacking - verify DNS responses occasionally.

4. Implement firewall rules to allow only outbound port 53 (DNS) to configured servers.

5. Use encrypted DNS (DoT/DoH) to prevent eavesdropping and tampering.

Performance Optimization

1. Choose geographically close DNS servers when possible for lower latency.

2. Enable DNS caching at the operating system level.

3. Consider running a local caching resolver (e.g., unbound, dnsmasq) for busy networks.

4. Test and compare DNS providers:

   # Benchmark DNS response time
   for i in {1..10}; do
     dig @2001:4860:4860::8888 google.com | grep "Query time"
   done
   

5. Set appropriate TTL values on your own DNS records (not too short, not too long).

Enterprise Considerations

1. Split DNS configuration: Use internal DNS for internal domains, public DNS for external.

2. Centralized DNS management: Use DHCP/DHCPv6 to distribute DNS settings.

3. Redundancy: Deploy multiple DNS servers across different locations.

4. Monitoring: Implement DNS query logging and analysis for security and troubleshooting.

5. Gradual rollout: Test IPv6-only DNS on small groups before organization-wide deployment.

6. Documentation: Maintain clear documentation of DNS architecture and configuration.

IPv6-Only Network Considerations

1. Deploy DNS64/NAT64 for accessing IPv4-only services.

2. Verify application compatibility with IPv6-only environments before deployment.

3. Plan migration strategy from dual-stack to IPv6-only carefully.

4. Maintain IPv4 connectivity during transition for legacy systems.

5. Educate users about IPv6-only limitations and workarounds.

Automation and Infrastructure as Code

For consistent, repeatable DNS configuration across multiple systems:

Ansible example:

- name: Configure IPv6-only DNS on Linux
  community.general.nmcli:
    conn_name: "eth0"
    type: ethernet
    dns6:
      - 2001:4860:4860::8888
      - 2001:4860:4860::8844
    dns6_ignore_auto: yes
    state: present

PowerShell DSC example (Windows):

Configuration IPv6DNS {
    Import-DscResource -ModuleName NetworkingDsc

    Node "localhost" {
        DnsServerAddress IPv6DNS {
            InterfaceAlias = "Ethernet"
            AddressFamily = "IPv6"
            Address = @("2001:4860:4860::8888", "2001:4860:4860::8844")
        }
    }
}

Docker container example:

# Set IPv6 DNS in container
FROM ubuntu:latest
RUN echo "nameserver 2001:4860:4860::8888" > /etc/resolv.conf
RUN echo "nameserver 2001:4860:4860::8844" >> /etc/resolv.conf

Conclusion

Configuring IPv6-only DNS nameservers is an essential skill as networks transition to IPv6. Whether you're running an IPv6-only network, testing IPv6 compatibility, or preparing for the future, understanding how to properly configure and troubleshoot IPv6 DNS is critical.

Key Takeaways:

• IPv6-only DNS requires working IPv6 connectivity to function
• Popular public IPv6 DNS providers include Google, Cloudflare, OpenDNS, and Quad9
• DNS64 enables IPv6-only clients to access IPv4-only services via NAT64
• Configuration methods vary by OS but all support IPv6 DNS natively
• Always test thoroughly using tools like test-ipv6.run after configuration
• Use at least two DNS servers for redundancy and reliability

By following this guide, you should be able to successfully configure IPv6-only DNS nameservers on any major operating system, troubleshoot common issues, and optimize your DNS configuration for performance and security. As IPv6 adoption continues to grow globally, mastering these skills will become increasingly important for network administrators, developers, and power users.

For more information about IPv6 connectivity and testing, visit test-ipv6.run to verify your configuration and get detailed insights into your IPv6 readiness.