What is the issue?

On a NAT64 network, the network exposes a special route (generally 64:ff9b::/96) which will be translated to IPv4 addresses as it leaves the network. This is complemented by DNS64, where the DNS server catches AAAA queries for hosts which only have A records and creates AAAA records locally by mapping the content of the A record into the NAT64 prefix.

Protocols where IP addresses are exchanged outside of DNS need to perform the translation themselves. The network-specific prefix can be discovered by making a AAAA query for ipv4only.arpa to the local DNS server. This record will resolve to known IPv4 addresses. If AAAA records are found, the network's NAT64 prefix can be determined, and IPv4 peer addresses can be translated as appropriate.

Steps to reproduce

• Deploy one Tailscale node on an IPv4-only connection
• Deploy another node on an IPv6-only connection with NAT64
• Attempt to establish a connection between the nodes

On the admin console, I can see that the IPv4-only node has published its address (103.100.225.XXX), and from the IPv6 node, I am able to ping the mapped version of this address (64:ff9b::6764:e1XX). However, the clients are connecting via relay, because neither can find the path to the other.

Are there any recent changes that introduced the issue?

No response

OS

No response

OS version

No response

Tailscale version

No response

Other software

No response

Bug report

BUG-bd1b951a2ec893333ec5e52005227e46e626175d67854ba743b8c84929ac1732-20240317062213Z-b80b9e4c2aed746e