pfSense

We create default filter rules to prevent the NAT64 translation for reserved IPv4 addresses. For example, a request to 64:ff9b::a00:1 will not be translated to 10.0.0.1. These rules are required for RFC compliance. Though the translation itself is prevented, DNS64 replies with the translated reserved address. This results in unnecessary traffic and potential timeouts for the client. To resolve this, we can use the respip unbound module to omit these reserved addresses from the answer to client AAAA queries.