IPv6 Router Advertisement for DNS Configuration

Neighbor Discovery Protocol (NDP) functions for IPv6 in a capacity similar to ARP for IPv4. The firewall implementation of Neighbor Discovery (ND) allows you to provision IPv6 hosts with the Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) Options. You configure these DNS Options on the firewall so the firewall can provision your IPv6 hosts; therefore you don’t need a separate DHCPv6 server to provision the hosts. The firewall sends IPv6 Router Advertisements (RAs) containing these options to IPv6 hosts as part of their DNS configuration to fully provision them to reach internet services. RFC 6106, IPv6 Router Advertisement Options for DNS Configuration, describes the options.
  • Recursive DNS Server Addresses—Recursive DNS refers to a series of DNS requests by an RDNS Server to resolve a domain name with an IP address. Configure the addresses of RDNS Servers so the firewall can advertise them and thus provision IPv6 hosts with the addresses of RDNS servers that can resolve their DNS queries. A single IPv6 RA uses one RDNS Server Option with multiple addresses and the same lifetime, or multiple RDNS Server Options with different lifetime values.
  • DNS Search List—Configure a list of domain names (suffixes) that you want to advertise to a DNS client. The firewall thus provisions the DNS client to use the suffixes in its unqualified DNS queries. The DNS client appends the suffixes, one at a time, to an unqualified domain name before entering the name into a DNS query, thereby using a fully qualified domain name (FQDN) in the query. For example, if a user tries to submit a DNS query for the name “quality” without a suffix, the DNS client appends a period and the first DNS suffix from the DNS Search List to the name and transmits a DNS query. If the first DNS suffix on the list is “company.com”, the resulting DNS query is for the FQDN “quality.company.com”.
    If the DNS query fails, the client appends the second DNS suffix from the list to the unqualified name and transmits a new DNS query. The client uses the DNS suffixes in order until a DNS lookup succeeds (ignoring the remaining suffixes) or the client has tried all suffixes on the list. A single IPv6 RA uses one DNS Search List Option with multiple domain names and the same lifetime, or multiple DNS Search List Options with different lifetimes.
The capability of the firewall to send IPv6 RAs for DNS configuration allows the firewall to perform a role similar to DHCP, and is unrelated to the firewall being a DNS proxy, DNS client or DNS server.
  • Configure Layer 3 Interfaces on the firewall to send IPv6 Router Advertisements, and specify the RDNS Server addresses and DNS suffixes for the firewall to advertise from this interface.
    IPv6 Router Advertisement for DNS Configuration is supported for Ethernet interfaces, subinterfaces, Aggregated Ethernet interfaces, and Layer 3 VLAN interfaces on all PAN-OS firewall models.
    rtr_advertisement_combo.png

Related Documentation