Improving the performance and security of the TOTD DNS64 implementation
Keywords:IPv6 deployment, IPv6 transition solutions, Performance analysis, DNS64, TOTD, Security, Cache poisoning attack, Random permutation
DNS64 and NAT64 IPv6 transition mechanisms are expected to play an important role in the near future to solve the problem that some of the new clients will not be able to get public IPv4 addresses and thus having only IPv6 addresses they still should be able to reach servers that have only IPv4 addresses. In our earlier experiments, the TOTD DNS64 implementation showed significantly better average performance than BIND, however TOTD was not stable, therefore now it was carefully tested to find the reason for its experienced strange behavior. Besides the detailed description of the testing method, the bug and the correction, a security vulnerability is disclosed and a patch is provided. The performance and the stability of the modified versions of TOTD are analyzed and compared to that of the original TOTD and BIND.
from IPv6 clients to IPv4 servers”, IETF, April 2011. ISSN: 2070-1721 (RFC 6147)
 M. Bagnulo, P. Matthews and I. Beijnum, “Stateful NAT64: Network address and protocol translation from IPv6 clients to IPv4 servers”, IETF, April 2011. ISSN: 2070-1721 (RFC 6146)
 G. Lencse and S. Répás, “Performance Analysis and Comparison of Different DNS64 Implementations for Linux, OpenBSD and FreeBSD”, Proceedings of the IEEE 27th International Conference on Advanced Information Networking and Applications (AINA 2013), (Barcelona, Spain, 2013. March, 25-28.) IEEE Computer Society, pp. 877-884. doi:10.1109/AINA.2013.80
 The Number Resource Organization, “Free pool of IPv4 address space depleted”, http://www.nro.net/news/ipv4-freepool-depleted
 RIPE NCC, “RIPE NCC begins to allocate IPv4 address space from the last /8”, http://www.ripe.net/internetcoordination/news/ripe-ncc-begins-to-allocate-ipv4-addressspace-from-the-last-8
 C. Bao, C. Huitema, M. Bagnulo, M Boucadair and X. Li, “IPv6 addressing of IPv4/IPv6 translators”, IETF, October
2010. ISSN: 2070-1721 (RFC 6052)
 M. Bagnulo, A. Garcia-Martinez and I. Van Beijnum, “The NAT64/DNS64 tool suite for IPv6 transition”, IEEE Communications Magazine, vol. 50, no. 7, July 2012, pp. 177-183.
 The 6NET Consortium, “An IPv6 Deployment Guide”, Edited by Martin Dunmore, September, 2005 http://www.6net.org/book/deployment-guide.pdf
 TOTD source code at GitHub, https://github.com/fwdillema/totd.git
 Free Software Foundation, “The free software definition”, http://www.gnu.org/philosophy/free-sw.en.html
 Open Source Initiative, “The open source definition”, http://opensource.org/docs/osd
 Kevin R. Fall and W. Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols, Second Edition, Addison-Wesley Professional Computing Series, Second printing, May, 2012.
 A. Hubert and R. van Mook, “Measures for Making DNS More Resilient against Forged Answers”, IETF, January 2009. (RFC 5452)
 Internet Systems Consortium, “Berkeley Internet Name Daemon (BIND)”, https://www.isc.org/software/bind
 A. Klein, “BIND8 DNS Cache Poisoning – And a theoretic DNS cache poisoning attack against the latest BIND 9”,
Trusteer, July-August 2007, http://packetstorm.wowhacker.com/papers/attack/BIND_8_DNS_Cache_Poisoning.pdf
 R. Durstenfeld, “Algorithm 235: Random permutation”, Communications of the ACM, Vol. 7 No. 7, (July 1964) p.
 NTIA ITS, “Definition of ‘graceful degradation’ ”,http://www.its.bldrdoc.gov/fs-1037/dir-017/_2479.htm