Skip to content

Added critially important notes for DNS64. #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added critially important notes for DNS64. #462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cbbe104
Added 1 very important note.
DandelionSprout Jul 6, 2025
50855e9
Added 1 very important note.
DandelionSprout Jul 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ Usage of ./dnsproxy:
--config-path=path
YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.
--dns64
If specified, dnsproxy will act as a DNS64 server.
If specified, dnsproxy will act as a DNS64 (a.k.a. NAT64) server. This is a really bad idea to do on public or out-of-house, as it will break large parts of the internet on IPv6 clients in such circumstances.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The warning about DNS64 breaking things is valuable, but could be more precise. DNS64 doesn't break IPv6 sites directly - rather, when used incorrectly (especially on public networks), it can prevent IPv6 clients from properly accessing IPv6-only resources. Consider clarifying this technical distinction to help users better understand the specific risk.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm much too old and/or young to expect the meteoric rise in AI tools' coding skills in the past 6 months or so, but you seem to be pretty correct in your explanation.

--dns64-prefix=subnet
Prefix used to handle DNS64. If not specified, dnsproxy uses the 'Well-Known Prefix' 64:ff9b::. Can be specified multiple times.
--dnscrypt-config=path/-g path
Expand Down
2 changes: 1 addition & 1 deletion internal/cmd/args.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,7 +379,7 @@ var commandLineOptions = []*commandLineOption{
valueType: "",
},
dns64Idx: {
description: "If specified, dnsproxy will act as a DNS64 server.",
description: "If specified, dnsproxy will act as a DNS64 (a.k.a. NAT64) server. This is a really bad idea to do on public or out-of-house, as it will break large parts of the internet on IPv6 clients in such circumstances.",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updated description correctly warns about potential issues with DNS64, but there's a technical inaccuracy. DNS64 is not the same as NAT64 - DNS64 is a DNS server feature that synthesizes AAAA records from A records, while NAT64 is a network address translation mechanism that allows IPv6-only clients to communicate with IPv4-only servers. They work together but serve different functions.

long: "dns64",
short: "",
valueType: "",
Expand Down