Skip to content

Added critially important notes for DNS64. #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added critially important notes for DNS64. #462

wants to merge 2 commits into from

Conversation

DandelionSprout
Copy link
Member

Directly inspired by AdguardTeam/AdGuardHome#7898 and AdguardTeam/AdGuardHome#7904.

The dns64 settings in multiple AdGuard products, certainly including dnsproxy, does not properly explain at all what the setting does, and that it is in fact much more likely to break IPv6 sites than to handle them better.

T
r
u
s
t

m
e

It took me years to debug a very similar problem in AGH, and even then only because I received a fantastic tip in the firstmost-linked thread.

windsurf-bot[bot]
windsurf-bot bot reviewed Jul 6, 2025
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 To request another review, post a new comment with "/windsurf-review".

internal/cmd/args.go
},
dns64Idx: {
description: "If specified, dnsproxy will act as a DNS64 server.",
description: "If specified, dnsproxy will act as a DNS64 (a.k.a. NAT64) server. This is a really bad idea to do on public or out-of-house, as it will break large parts of the internet on IPv6 clients in such circumstances.",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updated description correctly warns about potential issues with DNS64, but there's a technical inaccuracy. DNS64 is not the same as NAT64 - DNS64 is a DNS server feature that synthesizes AAAA records from A records, while NAT64 is a network address translation mechanism that allows IPv6-only clients to communicate with IPv4-only servers. They work together but serve different functions.

README.md
YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.
--dns64
If specified, dnsproxy will act as a DNS64 server.
If specified, dnsproxy will act as a DNS64 (a.k.a. NAT64) server. This is a really bad idea to do on public or out-of-house, as it will break large parts of the internet on IPv6 clients in such circumstances.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The warning about DNS64 breaking things is valuable, but could be more precise. DNS64 doesn't break IPv6 sites directly - rather, when used incorrectly (especially on public networks), it can prevent IPv6 clients from properly accessing IPv6-only resources. Consider clarifying this technical distinction to help users better understand the specific risk.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm much too old and/or young to expect the meteoric rise in AI tools' coding skills in the past 6 months or so, but you seem to be pretty correct in your explanation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@windsurf-bot windsurf-bot[bot] windsurf-bot[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@DandelionSprout