Jeff Huston

There are times where two networks are joined together and address translation (NAT) is being used.  In order for computers on one side to find the IP addresses to be used on the other side, some mechanism is required to translate the names into the translated IP addresses.

Typically, this problem is solved by using a HOSTS file.  While convenient for quick translation, it is difficult to manage (since it is local to each computer) and only facilitates the equivalent of the DNS A and CNAME record types.  Usually those records are sufficient, but the SRV record type is also important for applications (such as Microsoft Active Directory, Microsoft Office Communications Server, and others).

Therefore, there is a need to translate DNS zone information from one side of the NAT to the other.  By posting it to the DNS on the far side of the NAT, it is centrally managed and maintained.  Since there is typically a firewall change (or at least a router change) to enable new systems to be NAT’d, it is an excellent opportunity to recreate the DNS zone translation file and upload it to the far side.

To solve this problem, I’ve created a script called DNSZoneXlate.wsf.  This VBScript file will take in a few parameters along with a zone translation matrix file and produce a batch file that can be run on a server on the far side to create the proper zone data in the remote DNS.

Here’s how it gets used:

cscript.exe DNSZoneXlate.wsf /server:DNSserver /zone:zoneName [/xlate:translateFile] [/ad] [/includeall]

Parameters:

• /server:DNSserver – This is the local DNS server from which zone data should be obtained.  It can be a resolvable server name or IP address.
• /zone:zoneName – This is the fully qualified name of the zone to be exported.  It needs to be the actual root of the zone, not a virtual subdomain within a zone.  Easiest way to tell is that it is a top-level folder under the Forward-DNS Zones section of the DNS Administration tool.
• /xlate:translateFile – This specifies the tranlate matrix file.  If not included, then no translation occurs and the /ad and/or /includeall switches must be included.
• /ad – This switch instructs the system to include the Active Directory specific DNS entries (such as the SRV records) in the output.  It assumes that the zone specified is the same as the Active Directory domain to be exported (and it is not a subdomain).
• /includeall – This switch tells the script to include all records found in the output, even if it is not included by way of the translation matrix or the /ad switch.

Remarks:

The zone translation matrix is a simple text file with rows in one of four different formats:

•  
  • ; Comment Line
    This line, preceded by a semicolon as the first character is treated as a comment line and is otherwise ignored.
  • old_ip<TAB>new_ip[<TAB>Comment/ignored data]
    This line is a basic IP to IP translation.  Anytime that the system finds an A record referencing the old IP address, it is translated to an A record with the new IP address.
  • old_subnet<TAB>*new_subnet<TAB>bitmasklength[<TAB>Comment/ignored data]
    This is a more complex translation matrix line.  This line allows the wholesale translation of an entire subnet from one side of the NAT to a different subnet on the other side of the NAT.  The key identifier here is the asterisk in front of the new_subnet parameter.  The bitmasklength is a single number identifying the number of bits in the subnet mask (i.e., 24 and not 255.255.255.0).  Any A record found with an IP address in the old subnet is translated to an IP address in the new subnet, one for one.  This is useful for when whole blocks of addresses are let through the firewall with or without translation.
  • old_ip<TAB>-[<TAB>Comment/ignored data]
    This line is an exclusion.  The key identifier is the dash as the second parameter.  This line is useful for preventing IP addresses from making it over when the /AD parameter is set (for example, a domain controller that is part of the domain but not exposed through the NAT) or a subnet translation line is used.

Here’s an example of the translation file:

; This is a sample translation file.
; These first lines are ignored as comments.
;
172.16.10.125  10.110.60.101  This is a server being passed through
10.90.10.0     *10.110.61.0   24      This is a subnet range being translated
10.90.10.125   -       This IP address is excluded from appearing through

Right-click and save the DNSZoneXlate file.