browse
Overview
Until now Cisco Secure Client supported IPv4-only and dual stack network configurations. This article describes support for IPv6-only networks starting with Cisco Secure Client 5.1.4.74 (MR4). The feature must be enabled using a flag file.
Background
With the widespread proliferation of IPv6, ISPs around the world are increasingly assigning IPv6 addresses only. However, many server resources are still on IPv4 only networks. DNS64, combined with NAT64, are transitional capabilities that enable seamless communication between IPv6-only clients and IPv4-only servers without requiring the clients to be aware of the underlying IPv4 infrastructure.
AAAA records are used exclusively with IPv6, while A records are used exclusively with IPv4. DNS64 works by synthesizing AAAA (IPv6) records for servers that only have A records in their DNS, allowing IPv6-only clients to reach IPv4-only servers. DNS64 creates these AAAA records by combining a configurable IPv6 prefix with the IPv4 address from an A-record lookup. The IPv4 address is embedded in the last 32 bits of the IPv6 address.
Cisco Secure Client 5.1.4.74 (MR4) now supports Umbrella protection for IPv6-only networks. The Umbrella module discovers the NAT64 prefix that is being employed by the network gateway by querying the LAN DNS resolvers. It then does the DNS64 IPv6 address synthesis using the discovered NAT64 prefix when the Umbrella DNS resolver is involved in name resolution for policy enforcement.
How to enable the feature
- For Windows
Create a file called single_stack_ipv6.flag and place it into the following directory:
C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\data
Once the flag file has been placed in the directory, please restart the Cisco Secure Client for the feature to take effect.
- For MacOS
Create a file called single_stack_ipv6.flag and place it into the following directory:
/opt/cisco/secureclient/umbrella/data
Once the flag file has been placed in the directory, please restart the Cisco Secure Client for the feature to take effect.
Limitations
- In CSC release 5.1.4 DNS64 is supported only for encrypted DNS traffic going to Umbrella DNS resolvers. It is not supported for unencrypted DNS traffic even if protection is applied.
FAQ
Q. How do I know if DNS64/NAT64 is supported on my network (MacOS)?
DNS64/NAT64 dig testing:
These tests are designed to qualify a network whereby the host is only configured with an IPv6 address. In order to reach existing IPv4 services on the Internet, the host must use DNS64 from the configured resolver to receive the synthesized IPv6 address of the IPv4 IP address. Once we have the synthesized address we will make sure it is reachable. It will only be reachable if NAT64 is enabled on the gateway. We use api-ipv4.opendns.com domain because we know that there are only v4 addresses configured. So if we get a v6 address in the answer record, we will know it has been synthesized. When we ping6 the returned address from the dig command, we will know that the synthesized address is successfully translated to a v4 address on the Internet and the reply translated back to the host.
DNS64
The first thing we want to test
➜ osx dig AAAA api-ipv4.opendns.com
; <<>> DiG 9.10.6 <<>> AAAA api-ipv4.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;api-ipv4.opendns.com. IN AAAA
;; ANSWER SECTION:
api-ipv4.opendns.com. 60 IN AAAA 64:ff9b::9270:ff9b <—synthesized address
;; Query time: 921 msec
;; SERVER: 2001:4860:4860::6464#53(2001:4860:4860::6464)
;; WHEN: Thu Jun 20 17:28:12 PDT 2024
;; MSG SIZE rcvd: 77
NAT64
Now let’s ping the synthesized address
➜ osx ping6 64:ff9b::9270:ff9b
PING6(56=40+8+8 bytes) 2001:db8:1:0:785e:e00f:f8fe:9f7b --> 64:ff9b::9270:ff9b
16 bytes from 64:ff9b::9270:ff9b, icmp_seq=0 hlim=54 time=103.653 ms
16 bytes from 64:ff9b::9270:ff9b, icmp_seq=1 hlim=54 time=51.491 ms
16 bytes from 64:ff9b::9270:ff9b, icmp_seq=2 hlim=54 time=54.278 ms
16 bytes from 64:ff9b::9270:ff9b, icmp_seq=3 hlim=54 time=78.153 ms
Q. How do I know if DNS64/NAT64 is supported on my network (Windows)?
DNS64
The first thing we want to test
C:\>nslookup -type=AAAA api-ipv4.opendns.com.
Server: UnKnown
Address: 2600:1f14:1799:7000:d2b9:d714:e957:6d4
Non-authoritative answer:
Name: api-ipv4.opendns.com
Address: 64:ff9b::9270:ff9b <—synthesized address
NAT64
Now let’s ping the synthesized address
C:\>ping 64:ff9b::9270:ff9b
Pinging 64:ff9b::9270:ff9b with 32 bytes of data:
Reply from 64:ff9b::9270:ff9b: time=18ms
Reply from 64:ff9b::9270:ff9b: time=22ms
Reply from 64:ff9b::9270:ff9b: time=21ms
Reply from 64:ff9b::9270:ff9b: time=19ms
Ping statistics for 64:ff9b::9270:ff9b:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 22ms, Average = 20ms