NAT64 policy and DNS64 (DNS proxy)

NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.

Sample topology

In this example, a host on the internal IPv6 network communicates with that only has IPv4 address on the Internet.

  1. The host on the internal network does a DNS lookup for by sending a DNS query for an AAAA record for
  2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for and gets back an RRSet containing a single A record with the IPv4 address
  3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::
  4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::
  5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
  6. The FortiGate translates the destination address of the packets from IPv6 address 64:ff9b:: to IPv4 address and translates the source address of the packets to (or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.

Sample configuration

To configure a NAT64 policy with DNS64 in the GUI:
  1. Enable IPv6 and DNS database:

    1. Go to System > Feature Visibility.
    2. In the Core Features section, enable IPv6.
    3. In the Additional Features section, enable DNS Database.
    4. Click Apply.
  2. Enable DNS proxy on the IPv6 interface:

    1. Go to Network > DNS Servers.
    2. In the DNS Service on Interface table, click Create New.
    3. For Interface, select port10.
    4. For Mode, select Forward to System DNS.
    5. Click OK.
  3. Configure the IPv6 DHCP server: