What is DNS64 and When is it Used?

Executive Summary

DNS64 is a critical IPv6 transition technology that enables IPv6-only networks to seamlessly access IPv4-only services. By synthesizing AAAA (IPv6) DNS records from A (IPv4) records, DNS64 works in tandem with NAT64 translation gateways to bridge the connectivity gap during the lengthy IPv4-to-IPv6 migration period. This technology has become essential infrastructure for modern carrier networks, enterprise IPv6 deployments, and cloud platforms managing IPv4 address exhaustion.

Technical Definition

DNS64 is a DNS protocol extension defined in RFC 6147 that automatically synthesizes IPv6 addresses (AAAA records) from IPv4 addresses (A records) when an IPv6-only client needs to communicate with an IPv4-only server. The synthesized IPv6 address embeds the IPv4 address within a special prefix, allowing NAT64 gateways to perform the necessary protocol translation.

In practice, DNS64 functions as a transparent intermediary in the DNS resolution process. When an IPv6-only client queries for a hostname and only an A record exists (no AAAA record), the DNS64 server constructs a synthetic AAAA record by algorithmically combining:

A configured IPv6 prefix (typically 64:ff9b::/96)
The 32-bit IPv4 address from the original A record

The resulting IPv6 address directs traffic through a NAT64 gateway capable of translating between IPv6 and IPv4 protocols.

The DNS64/NAT64 Architecture

DNS64 never operates in isolation—it requires a paired NAT64 gateway to function. Understanding their relationship is crucial:

┌─────────────────────────────────────────────────────────────────┐
│                    IPv6-Only Network                            │
│                                                                 │
│  ┌──────────────┐                                              │
│  │ IPv6-Only    │  1. DNS Query: www.ipv4only.com (AAAA?)     │
│  │ Client       │────────────────────────────────────────┐    │
│  └──────────────┘                                         │    │
│         │                                                 ▼    │
│         │                                        ┌──────────────┐│
│         │   2. Synthetic AAAA Response:          │   DNS64      ││
│         │      64:ff9b::203.0.113.1              │   Server     ││
│         │◄───────────────────────────────────────┤              ││
│         │                                        └──────────────┘│
│         │ 3. Connect to 64:ff9b::203.0.113.1                   │
│         │    (Embedded IPv4: 203.0.113.1)                      │
│         ▼                                                       │
│  ┌──────────────────────────────────────┐                      │
│  │         NAT64 Gateway                 │                      │
│  │  • Extracts IPv4: 203.0.113.1        │                      │
│  │  • Translates IPv6 ↔ IPv4 packets    │                      │
│  │  • Maintains session state            │                      │
│  └──────────────────────────────────────┘                      │
│         │                                                       │
└─────────┼───────────────────────────────────────────────────────┘
          │ 4. IPv4 connection to 203.0.113.1
          ▼
   ┌──────────────┐
   │ IPv4-Only    │
   │ Server       │
   │ 203.0.113.1  │
   └──────────────┘

Step-by-Step Process Flow

DNS Resolution Request: IPv6-only client requests AAAA record for an IPv4-only destination
DNS64 Detection: DNS64 server finds only A records (no native IPv6 support)
Address Synthesis: DNS64 creates synthetic AAAA record using configured prefix + IPv4 address
Client Connection: Client connects to synthesized IPv6 address
NAT64 Translation: NAT64 gateway extracts embedded IPv4 address and translates packets
Bidirectional Communication: NAT64 maintains session state for return traffic

The Well-Known Prefix: 64:ff9b::/96

The most critical component of DNS64 is the address synthesis prefix. While DNS64 supports custom prefixes, the Well-Known Prefix (WKP) 64:ff9b::/96 defined in RFC 6052 has emerged as the de facto standard.

Why 64:ff9b::/96?

Standardization: Universally recognized by NAT64 implementations
Interoperability: Enables seamless routing across organizational boundaries
Simplicity: No coordination required between DNS64 and NAT64 deployments
Public Internet Use: Specifically designed for translating public IPv4 addresses

Address Synthesis Mathematics

The WKP uses the first 96 bits for the prefix, leaving the final 32 bits for the IPv4 address:

IPv4 Address:     203.0.113.1
Binary (32-bit):  11001011.00000000.01110001.00000001

WKP (96-bit):     64:ff9b:0000:0000:0000:0000
IPv4 (32-bit):    cb00:7101

Synthesized IPv6: 64:ff9b::cb00:7101
                  or
                  64:ff9b::203.0.113.1 (mixed notation)

Alternative Prefixes

Organizations may deploy Network-Specific Prefixes (NSP) for:

RFC 1918 Private Networks: Translating 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Security Policies: Isolating translation domains
Multi-tenant Environments: Preventing address conflicts

Common NSP formats include:

/32 - Maximum flexibility but requires /32 routing
/40 - Balances prefix length with IPv4 embedding space
/48 - Aligns with typical IPv6 allocation boundaries
/56 - Common in residential IPv6 deployments

Implementation Deployment Models

DNS64 can be deployed in three distinct architectural patterns:

1. Recursive Resolver Deployment (Most Common)

DNS64 functionality integrated into the recursive DNS resolver serving end clients:

Advantages:

Centralized management and policy control
No changes required to authoritative DNS
Transparent to end users
Supports existing DNS infrastructure

Use Cases:

ISP/carrier networks
Enterprise data centers
Public Wi-Fi networks

Example Implementations:

Google Public DNS64: 2001:4860:4860::6464, 2001:4860:4860::64
BIND DNS: dns64 64:ff9b::/96 { }; directive
Unbound DNS: module-config: "dns64 validator iterator"
PowerDNS Recursor: dns64 parameter

2. Authoritative Server Deployment

DNS64 logic embedded in authoritative nameservers:

Advantages:

Service provider controls synthesis policy
Optimized for specific application requirements
Reduced recursive resolver complexity

Disadvantages:

Requires modification to authoritative infrastructure
Less flexible for operators with diverse service portfolios

Use Cases:

Content delivery networks (CDNs)
Large-scale SaaS providers
Application-specific optimization

3. Split/Hybrid Deployment

Combination approach with DNS64 at both recursive and authoritative layers:

Use Cases:

Complex enterprise environments
Multi-cloud architectures
Gradual migration scenarios

Enterprise and Carrier Use Cases

Cellular Network Operators

Mobile carriers represent the largest DNS64/NAT64 deployment base:

Drivers:

IPv4 Address Exhaustion: CGNAT limitations and costs
Simplified Mobile Core: IPv6-only packet core infrastructure
5G Architecture: 3GPP standards favor IPv6-only access networks

Implementation Pattern:

IPv6-only mobile access network (radio and packet core)
DNS64 in carrier-grade recursive resolvers
Stateful NAT64 at internet gateway routers
464XLAT for legacy IPv4-only applications

Real-World Examples:

T-Mobile USA: IPv6-only LTE/5G with NAT64
Verizon Wireless: Extensive DNS64 deployment
Sprint (now T-Mobile): Early IPv6-only adopter

Enterprise Networks

DNS64 addresses three critical enterprise scenarios:

A. Cloud Migration with IPv6-Only Segments

Modern enterprises deploying IPv6-only subnets for:

Cost reduction (no IPv4 address procurement)
Simplified routing and security policies
Cloud-native application deployment

Supported Platforms:

AWS: NAT64 Gateway with Route 53 Resolver DNS64
Google Cloud: Automatic DNS64/NAT64 for IPv6-only VPC subnets
Azure: IPv6-only VNets with DNS64 preview

B. Branch Office IPv6-Only Connectivity

Remote sites connected via IPv6-only WAN links:

SD-WAN IPv6 transport
MPLS IPv6 circuits
Internet VPN with IPv6

Architecture:

Central site DNS64/NAT64 gateway
Branch offices use IPv6-only addressing
Centralized IPv4 internet breakout

C. IoT and Operational Technology (OT) Networks

IPv6-native IoT devices requiring occasional IPv4 access:

Building management systems
Industrial sensors and controllers
Smart city infrastructure

Internet Service Providers (ISPs)

Broadband and fiber ISPs deploy DNS64 for:

Residential Subscribers:

IPv6-only CPE (customer premises equipment)
Reduced operational complexity
Future-proof infrastructure

Business Services:

IPv6-mostly networks with NAT64 fallback
Premium IPv6 native services
Gradual IPv4 phase-out

Content Delivery and Cloud Platforms

Public DNS64 Services:

Google Public DNS64
Cloudflare DNS (with WARP client)
Quad9 (IPv6-capable resolvers)

Cloud Platform Integration:

Kubernetes IPv6-only clusters with DNS64
Serverless functions in IPv6-only environments
Container orchestration platforms

Benefits of DNS64 Deployment

1. Transparent IPv4 Access from IPv6-Only Networks

End users and applications experience seamless connectivity without manual configuration or awareness of translation mechanisms.

2. IPv4 Address Conservation

Organizations eliminate the need to assign IPv4 addresses to:

Mobile devices
Enterprise endpoints
Cloud virtual machines
IoT devices

3. Simplified Network Architecture

Dual-stack complexity reduction in IPv6-only networks:

Dual-stack complexity
IPv4 routing table size
NAT/CGNAT middlebox requirements
Firewall policy duplication

4. Administrative Efficiency

DNS64 eliminates the need to:

Maintain parallel IPv4/IPv6 DNS records
Manually configure translation mappings
Coordinate prefix allocations with application teams

5. Cost Reduction

Measurable savings from:

Reduced IPv4 address procurement costs
Lower NAT/CGNAT infrastructure investment
Simplified operations and troubleshooting

6. Future-Proof Infrastructure

Supports gradual IPv4 retirement while maintaining backward compatibility.

Limitations and Challenges

1. DNSSEC Validation Conflicts

DNSSEC synthesis can break DNSSEC validation:

Problem: Synthesized AAAA records lack valid DNSSEC signatures

Solutions:

Perform DNS64 synthesis after DNSSEC validation (RFC 6147 recommendation)
Deploy validating resolvers before DNS64 function
Use DNS64 with "trust anchor" configuration

Impact: Enterprise networks with mandatory DNSSEC validation require careful architecture design

2. Application Compatibility Issues

Applications with IPv4 assumptions may fail:

Problematic Patterns:

Hardcoded literal IPv4 addresses (e.g., http://203.0.113.1/api)
IPv4-only APIs and libraries
IP address whitelisting/blacklisting
Geolocation based on IPv4 address

Mitigation:

464XLAT for client-side IPv4 emulation (Android, iOS, macOS 13+)
Application-level IPv6 compatibility testing
Developer education and API modernization

3. Performance Considerations

DNS64/NAT64 introduces latency:

Factors:

Additional DNS resolution time (synthesis overhead)
NAT64 gateway processing delay
Session state maintenance overhead

Typical Impact: 2-10ms additional latency (acceptable for most applications)

Optimization:

Deploy geographically distributed NAT64 gateways
Use anycast for DNS64 resolver addresses
Implement connection pooling and keep-alives

4. Stateful NAT64 Scaling

NAT64 gateways maintain per-connection state:

Challenges:

Memory consumption for session tables
Connection tracking overhead
Port exhaustion at high scale

Solutions:

Carrier-grade NAT64 platforms (commercial or high-performance open source)
Stateless NAT64 for specific use cases (RFC 6145)
Load balancing across multiple NAT64 instances

5. Troubleshooting Complexity

DNS64/NAT64 obscures end-to-end connectivity:

Difficulties:

Tracing translated connections
Identifying NAT64 vs. application failures
Log correlation across IPv6/IPv4 boundary

Tools:

NAT64 session inspection utilities
Enhanced logging with correlation IDs
Test frameworks supporting IPv6-only environments

6. Well-Known Prefix Limitations

The WKP 64:ff9b::/96 cannot translate:

RFC 1918 Private Addresses: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Localhost: 127.0.0.0/8
Link-Local: 169.254.0.0/16
Multicast: 224.0.0.0/4

Solution: Deploy Network-Specific Prefixes (NSP) for private address translation

Testing DNS64 Connectivity

When evaluating your network's IPv6 capabilities, DNS64 detection is crucial. Tools like test-ipv6.run provide comprehensive connectivity testing that includes:

DNS64 Detection Methodology

IPv4-Only Endpoint Test: Verify if IPv4 connectivity works
IPv6-Only Endpoint Test: Confirm native IPv6 functionality
Dual-Stack Endpoint Test: Check which protocol is preferred
Synthetic Address Detection: Identify synthesized AAAA records in the 64:ff9b::/96 range

Interpreting DNS64 Test Results

Scenario A: Native Dual-Stack (No DNS64)

IPv4-only test: Success
IPv6-only test: Success
Both protocols available natively

Scenario B: DNS64/NAT64 Active

IPv4-only test: Success via NAT64 translation
IPv6-only test: Success natively
IPv4 addresses resolve to 64:ff9b::/96 range

Scenario C: IPv6-Only Without DNS64

IPv4-only test: Failure
IPv6-only test: Success
Limited internet access (IPv6-only services only)

For network administrators, testing with test-ipv6.run helps validate DNS64 deployment and identify configuration issues before production rollout.

Best Practices for DNS64 Deployment

1. Start with the Well-Known Prefix

Use 64:ff9b::/96 unless you have specific requirements for NSP deployment.

2. Deploy DNS64 Close to Clients

Place DNS64 functionality in recursive resolvers serving end users, not in authoritative servers.

3. Ensure NAT64 and DNS64 Prefix Alignment

The NAT64 gateway must use the same prefix configured in DNS64.

4. Implement Monitoring and Alerting

Track key metrics:

DNS64 synthesis rate
NAT64 session count and exhaustion
Translation failures and timeouts
Performance degradation indicators

5. Plan for DNSSEC Validation

Position DNS64 function after DNSSEC validation in the resolution path.

6. Document and Communicate

Inform application development teams about:

IPv6-only network environment
DNS64/NAT64 translation boundaries
Application compatibility requirements
Testing procedures

7. Consider 464XLAT for Mobile

Deploy 464XLAT (RFC 6877) alongside DNS64/NAT64 for comprehensive mobile application compatibility.

8. Test Thoroughly Before Production

Validate:

Critical application functionality
Performance under load
Failover and redundancy
Security policy enforcement

Conclusion

DNS64 has evolved from an experimental transition mechanism to a production-grade technology deployed by major carriers, enterprises, and cloud platforms worldwide. By enabling IPv6-only networks to transparently access the IPv4 internet, DNS64 addresses the practical challenges of IPv4 address exhaustion while supporting the long-term migration to IPv6.

For organizations planning IPv6-only network segments—whether in cellular networks, cloud environments, or enterprise data centers—DNS64 paired with NAT64 provides a proven, scalable solution. While limitations exist, particularly around DNSSEC and application compatibility, the benefits of simplified architecture, cost reduction, and future-proof infrastructure make DNS64 an essential component of modern network design.

As the internet continues its gradual transition to IPv6, DNS64 will remain a critical bridging technology, enabling coexistence between IPv6 innovation and IPv4 legacy systems for years to come.

Further Reading:

RFC 6147: DNS64 Protocol Specification
RFC 6052: IPv6 Addressing of IPv4/IPv6 Translators
RFC 8683: Additional NAT64/464XLAT Deployment Guidelines
RFC 6877: 464XLAT Customer-Side Translator

Test Your Network: Visit test-ipv6.run to evaluate your IPv6 connectivity and detect DNS64 deployment.