Skip to main content
acvaldez
Staff
acvaldez
Staff
February 13, 2026

Technical Tip: NAT64 Packet Flow Overview with FortiGate as DNS64 Provider

  • February 13, 2026
  • 0 replies
  • 165 views
Description

This article describes an overview of NAT64 packet flow with FortiGate functioning as the DNS64 provider.
Scope FortiGate.
Solution

Diagram for the flow of traffic:

 
NAT64 FLOW TRAFFIC 100.drawio.png

 


 

NAT64 communication flow where a FortiGate is providing DNS64 + NAT64 services between an IPv6 client network and an IPv4 server.

 

  1. IPv6 Client Initiates Request (Left Side).
  • The client exists in an IPv6-only network. (2001:FD8:220C:1::100)
  • Client wants to access a destination using a domain name (server.manila.com).
  • Client sends a DNS query to FortiGate (FortiGate V6 Address 2001:fd8:220c:1::1/64)

 

  1. DNS64 Resolution (FortiGate – Middle).
  • FortiGate DNS64 queries the real DNS server.
  • If the destination is IPv4-only (A record only):
    • DNS64 synthesizes a fake AAAA record.
    • This AAAA contains:
      • NAT64 prefix (ex: 64:ff9b::/96). In this case, it was given a synthesized AAA value of 64:ff9b::a2f:22c.
      • Embedded IPv4 address of server. (where 0a:2f:02:2c is equal to 10.47.2.44).

 

nat64 dns query.png

 

The following is the NATed traffic on the port 80 request towards the v4 server:

 

nat64 natted traffic towards v4 server.png

 

The IPv6 session list appears as follows:

 

nat64 v6 session list.png

 

Configuration:

 

DNS64 in FortiGate:

 

NAT64 DNS64 1.png
NAT64 DNS64 2.png

 

NAT64 DNS64 3.png

 

VIP6 configuration for the IPv6 prefix. 

 

nat64 vip6.png

 

Firewall Policy:

 

na64 firewall policy.png
    Terms & ConditionsAccessibility statement