Skip to content

Added critially important notes for DNS64.#462

Open
DandelionSprout wants to merge 2 commits intoAdguardTeam:masterfrom
DandelionSprout:master
Open

Added critially important notes for DNS64.#462
DandelionSprout wants to merge 2 commits intoAdguardTeam:masterfrom
DandelionSprout:master

Conversation

@DandelionSprout
Copy link
Member

@DandelionSprout DandelionSprout commented Jul 6, 2025

Directly inspired by AdguardTeam/AdGuardHome#7898 and AdguardTeam/AdGuardHome#7904.

The dns64 settings in multiple AdGuard products, certainly including dnsproxy, does not properly explain at all what the setting does, and that it is in fact much more likely to break IPv6 sites than to handle them better.

T
r
u
s
t

m
e

It took me years to debug a very similar problem in AGH, and even then only because I received a fantastic tip in the firstmost-linked thread.

windsurf-bot[bot]
windsurf-bot bot reviewed Jul 6, 2025
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 To request another review, post a new comment with "/windsurf-review".

internal/cmd/args.go
},
dns64Idx: {
description: "If specified, dnsproxy will act as a DNS64 server.",
description: "If specified, dnsproxy will act as a DNS64 (a.k.a. NAT64) server. This is a really bad idea to do on public or out-of-house, as it will break large parts of the internet on IPv6 clients in such circumstances.",
Copy link

@windsurf-bot windsurf-bot bot Jul 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updated description correctly warns about potential issues with DNS64, but there's a technical inaccuracy. DNS64 is not the same as NAT64 - DNS64 is a DNS server feature that synthesizes AAAA records from A records, while NAT64 is a network address translation mechanism that allows IPv6-only clients to communicate with IPv4-only servers. They work together but serve different functions.

README.md
YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.
--dns64
If specified, dnsproxy will act as a DNS64 server.
If specified, dnsproxy will act as a DNS64 (a.k.a. NAT64) server. This is a really bad idea to do on public or out-of-house, as it will break large parts of the internet on IPv6 clients in such circumstances.
Copy link

@windsurf-bot windsurf-bot bot Jul 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The warning about DNS64 breaking things is valuable, but could be more precise. DNS64 doesn't break IPv6 sites directly - rather, when used incorrectly (especially on public networks), it can prevent IPv6 clients from properly accessing IPv6-only resources. Consider clarifying this technical distinction to help users better understand the specific risk.

Copy link
Member Author

@DandelionSprout DandelionSprout Jul 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm much too old and/or young to expect the meteoric rise in AI tools' coding skills in the past 6 months or so, but you seem to be pretty correct in your explanation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@windsurf-bot windsurf-bot[bot] windsurf-bot[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DandelionSprout