On-the-fly Dynamic DNS Doctoring (Rewrite) for a 1-to-1 NAT using PowerDNS Recursor

-



The Problem

Corporate mergers and IP address scheme reallocation can be a major pain point, especially when you have legacy systems that cannot have their network settings modified. One solution is to preserve the legacy network and use a 1:1 NAT to remap the entire network to a new IP space. While this solution resolves IP conflicts, it causes problems when you still need to route traffic to that subnet from systems outside of that network. The responses from the DNS servers on the re-mapped network are responding with the original set of IP addresses and so your traffic will end up going to the wrong destination. 

Bad Solutions

The most common solution is to maintain a hosts file or setup a stub zone that you manually maintain. The downside of this is that it is a lot of work. The other downside of this is that you now have multiple locations in which to maintain DNS updates and it will break anything that relies on dynamic DNS updates. The end result of this is all the headaches of split-horizon DNS as well as the inability to manage dynamic DNS records.


A Less Bad Solution


So how do we overcome dynamic DNS updates? My solution is to translate DNS replies as they come across the wire. This is not packet interception, rather using a intermediate DNS server as a conditional forwarder for the target domain. This will not work on DNSSec and I have only implemented A-Record modifications.

As an overview of the lookup process, see the below graphic:
An overview of the lookup process

I turned to PowerDNS Recursor because of its Lua script hooks. This allow PowerDNS to intelligently match and modify DNS A records from predefined ranges. In the example above, The Fabrikam.com DNS server has a conditional forward for mte.contoso.com to the PowerDNS server. That server will in-turn conditionally forward mte.contoso.com lookups to the mte.contoso.com DNS servers. If the reply for a result matches criteria specified in the Lua script, PowerDNS will rewrite the response that it then delivers to the Fabrikam.com DNS server.

PowerDNS Logs as record translations occur

This embedded Lua script will perform the modifications as discussed. Simply drop it into your working PowerDNS Recursor, modify the constraints for your environment, and go.




Comments

Post a Comment

Popular posts from this blog

Sierra Wireless LTE Modem Guide: Automated Flashing of the EM7455/MC7455 with a Ubuntu Linux 18.04 LiveCD

-
Image
I've written a bash script to automate the entire process of setting up any of the EM/MC74XX series modems (Generic, Dell, Lenovo). This assumes you have the Sierra card inserted into a USB enclosure. This post is part of my Sierra Wireless LTE Modem Guide Series . If you prefer to skip the blog nature of these guides and just grab the bare features and commands, my  GitHub repository  will serve as the authoritative source for this entire series. Any changes or updates will occur there first. From the script description: - Only for use on Ubuntu 18.04 LTS LiveUSB - All Needed Packages will Auto-Install - Sets MBIM Mode with AT Commands Access - Changes all models of EM74XX/MC74XX Modems to the Generic Sierra Wireless VID/PID - Clears Band Restrictions and Places Modem in LTE only mode. - Flashes the Current Generic Firmware as of 2018-07-18 Link to script: https://github.com/danielewood/sierra-wireless-modems/blob/master/autoflash-7455.sh If you are feeling bra
Read more

Installing OpenWRT/ROOter on a RBM33G/RBM11G

-
Image
Installing OpenWRT/ROOter on a RBM33G/RBM11G Download the latest ROOter for the RBM33G Putty portable tftpd64 portable Extract all of the above to:  C:\Users\Public\Downloads Setup Network Interface connected to RBM33G/RMB11G POE port: IP: 192.168.1.2 Mask: 255.255.255.0 Gateway: 192.168.1.1 DNS1: 192.168.1.1 Disable Windows Firewall From an administrator command prompt: NetSh Advfirewall set allprofiles state off Configure and start tftpd32/64 Option 1: Overwrite tftpd32.ini with  this one  and start tftpd64. Change the BootFile name if needed. Option 2: Use screenshots for the settings, restart tftpd64 after you make your changes Open Putty to the COM port of your USB to Serial Adapter with a baud rate of 115200 Plug in/powercycle your router, press any key within 2 seconds to enter setup. Boot from the network by pressing the following key sequence: o - boot options e - ethernet o - boot options b - boot
Read more

Resetting and Upgrading the APC AP9606 NMC

-
The APC AP9606 is a very old NMC for the Smart-UPS line. They go for under $10 each on ebay and are great for use on an isolated VLAN for SNMP alerts and actions. Their network interface is only 10BaseT, but that is a non-issue for the purpose they serve and they work without issue on most gigabit switches. General Notes The default username/password is apc/apc. The AP9606 does not support DHCP, it supports only Static IP addresses or BOOTP. Setting the time on the AP9606 is broken on both the WebUI and on Telnet. If you discover how to successfully set a date and time, I will accept pull requests to this document. Unauthenticated SMTP Mail alerts work with GSuite SMTP Relay, as long as you have whitelisted your WAN IP. Discover/Reset IP Address Connect to the same layer 2 network as a PC. Use Wireshark and filter for:  eth.src[0:3]==00:c0:b7 Reset the AP9606 (hold reset button for 2-3 seconds) After about 30 seconds, you will see the AP9606 doing ARP lookups.
Read more