Hacker News new | past | comments | ask | show | jobs | submit login

Huh, so I can effectively use a NAT64 gateway as an unauthenticated open proxy? Let's try it. First look up the IPv4 for a site that reads back your IP address:

    $ dig +short a icanhazip.com
    104.18.115.97
    104.18.114.97
(Those are Cloudflare IP; icanhazip.com is hosted on CF.) Next, try connecting to the IP-readback site via a NAT64 gateway, but presenting the correct Host header so that Cloudflare knows what to do with the request:

    $ curl -6 -k -H 'Host: icanhazip.com' https://[2001:67c:2960:6464::104.18.115.97]/
    141.98.136.43
OK, it reads back an IPv4...

    $ dig +short -x 141.98.136.43
    de-fra2-nat641.level66.network.
...with a PTR record associated with level66.network, which was the NAT64 gateway we chose.

How does this not see more abuse by bad actors? I guess it probably does, which is why there are so few of these public gateways?




> How does this not see more abuse by bad actors?

Because this tech goes unused in almost all cases. Also doesn't work if your DNS client is secure against tampering (i.e. uses DNSSEC) without more configuration.

To make this work, you need to intercept and modify the victim's DNS traffic or reconfigure the victim's DNS server somehow. With that amount of control, IPv6 or IPv4 no longer matter; you apparently have full network or configuration access already.

There are protocols to automatically configure such workarounds intended for ISPs, but I don't think they see much use.

> which is why there are so few of these public gateways?

I think a bigger problem is that you're piping a lot of people's internet traffic through your own network for... fun, I guess? To make this sustainable you need a business model and I don't see why anyone would pay for such a service until IPv6-only hosts start becoming more common.


Ugh, I was under really looking forward to trying out NAT64 one day. Potential complications with DNSSEC never occurred to me. Thanks for the reality check.


Just rent a small vps somewhere with dual stack ipv6 and ipv4 and run Tayga on it to make your own NAT64 endpoint.


Luckily (or sadly) many clients still don't do any actual DNSSEC validation instead relying on the outdated mechanism of validating the records on the DNS server and flagging them as secure.

You can keep the level of protection most people get from their DNS servers by doing the same; validating DNSSEC before NAT64 before rewriting them and disabling additional validation on the clients if enabled.

This does require trust in the connection between your devices and your server, but if you were planning on altering the DNS records automatically anyway, this shouldn't be too much of an issue.

Another thing to keep in mind is that some (headless) browsers will switch to DoH automatically depending on your network configuration. To fix this, you can run a DoH server next to the NAT64 server quite easily and configure your devices to use that, or disable DoH entirely. As far as I know only Firefox is enabling DoH in some privacy unfriendly countries, so you'll probably be fine if you forget, but this is something to check if your browser starts having weird issues.

TL;DR it'll probably still work




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: