Microsoft Direct Access – How DNS64 & NAT64 works?
Posted by Brajesh Panda on December 23, 2012
As I said in my previous article Direct Access is an IPv6 only technology; Direct Access clients talk to Direct Access Server using IPv6 technologies. (Don’t forget this communication happens using IPv6 transition technologies i.e. IPV6 encapsulation in IPv4 packets.). As client to server communication happens using IPv6, Name lookup also happens using IPv6 & AAAA query. So if a internal server has IPv6 address it is easy for the client to start communication. But if internal server is only IPv4 configured, how it will communicate. This is where DNS64 and NAT64 come into the picture. So NAT64/DNS64 are needed when you want to have IPv6 communication over IPv4 network. For other way round look forward to next article.
- So IPv6 enabled DA Clients send an IPv6 host resolution query (AAAA Query- Quad A query) to Direct Access Server.
- In Direct Access Server DNS64 (DNS 6 to 4 Proxy) accepts this query & contact internal corporate DNS server as per Direct Access Servers own internal DNS IP Address config.
- Internal corporate DNS server hands over either IPv6 or IPv4 or both addresses for the internal destination application server to DNS64. This depends on what kind of address internal app server is registered with internal dns server.
- If DNS64 receives both IPv6 & IPv4 address it hands over the IPv6 address to DA Client. DA Client starts communication to that IPv6 address of destine application server.
- If DNS64 receives only IPv6 address from the internal Corporate Server, it hands over that IPv6 IP to the Direct Access Client. DA Client starts communication to that IPv6 address of destine application server.
- If DNS64 receives only IPv4 address from the internal corporate server, it cannot hand over that to Direct Access client; because DA client is not aware of IPv4 address. So it handover that address to NAT64 service in the same server.
- NAT64 service converts that IPv4 address to IPv6 by using it’s configured IPv6 Prefix
- Then DNS64 hand over the translated IPv6 address to the DA Client
- Then DA Client sends it’s communication to above IPv6 address thru Direct Access Server
- In Direct Address server NAT64 captures the IPv6 communication packets as it is carrying it’s NAT64 prefix.
- Then NAT64 removes its proxy and creates an IPv4 payload of same data and forwards to the destination application server.
- When NAT64 receive a reply for that packet, again it creates IPv6 address using prefix & forward to Direct Access client & continues.
- Just to remember; When Direct Access Server is load balanced, these translation packets carry same nodes address so reply come to the same node, which did the translation.
- Here is a nice article about this functionality with some good picture; http://blogs.technet.com/b/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx
- In Windows 2008 R2 version Direct Access, DNS64 & NAT64 were not inbuilt so had to use UAG or any other 3rd party product and in UAG we have to configure NAT64 prefix.
- But in Windows 2012 NAT64 &DNS64 are integrated, so we don’t need UAG, Also we don’t need to configure any separate prefix per say.
Other Direct Access Articles