DNS64 AAAA-from-A record synthesis RFC 6147 is used to enable client-server communication between an IPv6-only client and an IPv4-only server. See the well written introduction in the PowerDNS documentation.

DNS64 can be enabled by switching its configuration option to true. By default, the well-known prefix 64:ff9b::/96 is used.

dns64: true

It is also possible to configure own prefix.

  prefix: 2001:db8::aabb:0:0/96


The module currently won’t work well with policy.STUB(). Also, the IPv6 prefix passed in configuration is assumed to be /96.


The A record sub-requests will be DNSSEC secured, but the synthetic AAAA records can’t be. Make sure the last mile between stub and resolver is secure to avoid spoofing.

Advanced options

TTL in CNAME generated in the reverse ip6.arpa. subtree is configurable.

  prefix: 2001:db8:77ff::/96
  ttl-reverse: 300s

You can specify a set of IPv6 subnets that are disallowed in answer. If they appear, they will be replaced by AAAAs generated from As.

  prefix: 2001:db8:3::/96
  exclude: [2001:db8:888::/48, '::ffff/96']

# You could even pass '::/0' to always force using generated AAAAs.

In case you don’t want DNS64 for all clients, you can set dns64 option to false via the views section.

  # disable DNS64 for a subnet
  - subnets: [2001:db8:11::/48]
    tags: [t01]
      dns64: false

dns64: true