totd - DNS proxy and translator for IPv6 and IPv4
totd [-6] [-no6] [-4] [-no4] [-64] [-d<n>] [-p <prefix>] [-c <configfile>] [-u <user>] [-g <group>] [-t <dir>] [-q] [-v] [-h]
Totd is a small DNS proxy nameserver. Its main purpose is to support IPv6-only hosts/networks that communicate with the IPv4 world using some network or transport level translation mechanism, like NAT-PT or faithd(8). In addition, it has some other useful tricks and features one might fancy in a DNS proxy. Note that totd needs to be able to forward requests to a real nameserver (called a forwarder), in order to be useful.
Totd can be configured using commandline options, via its configuration file or even dynamically via HTTP requests (only if support for this has been added at compile time).
If you want to run totd on a privileged port, e.g. the default port 53, you either have to run totd as root or start as root but let it switch to another user and group after it has opened the sockets its needs (see -u and -g options). In the former case, totd is able to rescan the interface list and deal with interface and address changes on the fly. In the latter case, totd will not be able to rescan interfaces and react to such changes but needs to be restarted to handle such changes.
In the totd config file the first word is a keyword and it is followed by a value and or one or more attributes or optional values. Stuff between square brackets `[' and `]' below is optional while stuff between hooks`<' and `>' signifies a value you supply. (Neither the square brackets nor hooks are meant to be in the config file).
The following keywords are valid in the totd config file:
When support for it is compiled into totd and totd is started with the http-port commandline option, the following URLs can be requested from totd (at the specified port, say 6464):
Of course, you choose your own values for the prefix to add or delete. Note that if your network can not be considered secure, it may be appropriate to let totd only listen to localhost for http requests (and use ssh-tunneling for remote access)? Basic http authentication could easily be supported, but we do not see much value in that. HTTPS support is more complicated and I currently do not believe it adds much over using ssh.
Totd is just a DNS-proxy; it does not answer queries itself. It can only forward queries to a real nameserver. If there are multiple forwarders specified, it will use them in the order listed. When a nameserver is or becomes unreachable totd will use the next nameserver in line. After the retry interval amount of time, totd will switch back to the previous nameserver. If that nameserver is still unreachable it uses the next nameserver in the config file again. You may see totd switch to backup nameservers for no apparent good reason, as totd is not very good at discriminating between an unreachable/malfunctioning nameserver or a single query that returns erronous results or is simply delayed a lot.
(If the second nameserver is also unreachable and a third is specified, this sequence repeats itself.)
Totd can treat each AAAA and A6 type query in a special way. This behaviour is enabled when one or more prefixes are configured (on the commandline or with the `prefix' keyword in the config file). It is meant to support network and transport level IPv6 to IPv4 transition mechanisms, like NAT-PT and faith.
If the nameserver does not return an IPv6 address for the forwarded AAAA/A6 query, totd will make a second query but this time for an A record of the hostname of the original query. The resulting IPv4 address is then used to construct a fake IPv6 address, by replacing the lower 32 bits of the specified prefix with this IPv4 address. The resulting IPv6 address is sent as response to the original AAAA/A6 record query.
In addition, totd treats PTR type queries (reverse name lookup) in the ip6.int. domain specially. If the query matches a specified prefix, totd will forward a PTR query for an IPv4 address (using the lower 32 bits of the address to construct an IPv4 address) instead and use that to construct a faked response to the original PTR query.
If multiple prefixed are configured, totd will cycle through them in round-robin fashion. In this way totd can balance the load for multiple NAT-PT/faithd(8) translators in a network.
To enable 6to4 PTR query translation trick, add the `stf' keyword to your totd config file. 6to4 reverse lookup is based on draft-moore-6to4-dns-00.txt, section 3.3:
Totd supports re-writing of scoped addresses in DNS responses. This technique allows usage of scoped addresses like site-local addresses, without having to maintain such addresses in a DNS database. Instead, totd derives the scoped address record from the global address record it does find in DNS.
Totd only performas this trick on queries that stay within the specified scope. I.e. if the query is made from scoped source address (link-local unicast or site-local unicast), and query's target address (totd's listening address) is also scoped address, totd attaches additional AAAA records converted by using 3 arguments of the scoped keyword.
When you configure as below in totd config file:
and you made query from scoped source to totd's scoped destination, and the result has the following record:
it will get additional records as follows:
Reverse query for fec0::9876:5432 will be converted into 3ffe:501:ffff::9876:5432 and forwarded to the real DNS servers.
The Kame project provided network (NAT-PT) and transport (faithd) level translators for the *BSD operating systems, see e.g. http://www.kame.net for more information.
Another transport level translator is 'The Portable Transport Relay Translator Daemon (pTRTd)' which supports Linux amongst others, see http://v6web.litech.org/ptrtd/
Feike W. Dillema <feico at pasta.cs.uit.no>
Thanks to 6Net (EU project IST-2001-32603), http://www.6net.org/
faithd(8) natptd(8) natptconfig(8) stf(4)