Using NAT during a DNS server or network device transition

My original DNS server will be phase out soon (IP address 10.1.0.1).  I have my new DNS server (AD integrated) setup on another segment (IP address 10.2.0.1.  Therefore, I have to update all the DNS IP address of all my network devices to the new DNS IP address.  This is a very time-consuming and prone to error and omission.

Alternative, we can use NAT to redirect all DNS request destined for my old DNS server  to my new DNS server.

I have do some research on

Cisco Way

Juniper ScreenOS - NAT

I cannot use Cisco way because I have only a L3 switch which does not support ip nat command (a Cisco 4507 with a Sup 6-E supervisor).

I have a SSG550 with ScreenOS 6.2.0 (r 5.0).  There are a lot of ways to accomplish the task.  I have tried to follow KB4740 to succesfully NAT my new DNS server.  (Trick: For step 9, you need to wait for the service goes from “Down” to “OK” before proceed.  The waiting time may be half minute to 3 minutes.)
Alternaively, I choose to use VIP + DNAT + SNAT to accomplish my task.
  1. Shutdown the old server (to prevent IP address conflict)
  2. Login to Netscreen admin
  3. Go to Network – Interfaces
  4. Edit the corresponding interface (which interface your old DNS server sit with)
  5. Click “VIP”
  6. Enter the old server IP address as Virtual IP address.  Then click “Add” button
    image
  7. Go to Policy – Policies
  8. Select appropriate zone (in my case: From Trust to Trust) (Assume new and old servers are in same security zone, but in different VLAN)
  9. Click New
    image
  10. Enter Source Address = Any
  11. Enter Destination Address = Your old server IP
  12. For Service, we can enter only DNS or ANY.
  13. Click “Advanced” for NAT option
    image
  14. Enable both Source Translation and Destination Translation
  15. Enter the new IP address in “Translate to IP”
  16. Click OK to save.  A new Policy is added.
    image

You can verify your setup with NSLOOKUP.

Comments

Popular Posts