Jeff Roberts
RHCE #804006066322833
My IMDB profile (read my About Me section for more info)
Vim-Fu is now iPhone and Android friendly

Check out the Vim-Fu Store!

Vim-Fu

Realtime tech news

Cisco's DNS Rewrite - My new best friend

I recently completed a compound project at work that included getting rid of an old firewall/router and installing a Cisco 5510 into one our company’s offices to use as a primary firewall and VPN concentrator. To save the company some money, I was also tasked with migrating an existing machine, which happened to be a xen instance running in Appnexus’s cloud, onto a physical box housed in the office also running several other Xen instances. The migration was a interesting project on it’s own and will be the subject of a blog post shortly, time permitting. Suffice it to say, things went well overall and the machine was successfully migrated.  The machine has been home to the company’s public code repo for the last two years and must be kept accessible from the outside as well as by engineers on the inside network, but the DOM0 was not in the DMZ and this instance was the only instance that needed public access so I wasn’t going to move it there.  Instead I decided to put the box on our local network and build a static NAT to the outside.  But this provided a slightly awkward situation in regards to DNS.

Let’s say the inside network is known as inside.company.org and the repos box is known to all as repos.company.org.  Obviously we need to provide a DNS entry in the inside tables so that staff can access the box by name, but what name should they use?  The box previously known as repos.company.org, now becomes repos.inside.company.org, since that’s all the inside DNS server is authoritative for.  I can leave it as repos.company.org and put an entry in the DNS server for company.org but it obviously can’t have the internal IP, or no one from the outside will be able to access it.  So what next?  Two names for the same machine, one for use from the outside the other for when you are in the office – Yuk!  Even if the engineers would agree to use two names (they wouldn’t), I’d never be happy with it.  I could have setup a Split Horizon dns scheme, also called a DNS View but come to find out, the ASA had a beautiful solution to my problem just waiting to be switched on.

When using a static NAT (not PAT )

static (inside,outside) repos-ext repos-int netmask 255.255.255.255

Cisco has added a very clever feature. The DNS rewrite option, also know as “DNS Doctoring”, looks like this:

static (inside,outside) repos-ext repos-int netmask 255.255.255.255 dns

(note the unassuming “dns” at the end of the line)

The ASA device is inspecting every packet already, right? That’s what it does.  So when DNS Rewrite is turned on for a Static NAT, it simply watches for any DNS lookups on the target of the static NAT and replaces the external IP address in the answer portion of the lookup with the inside IP of the host.

To test it:

From the outside:

jeff-robertss-macbook-pro:~ jroberts$ dig @4.2.2.2 repos.company.org

; <<>> DiG 9.6.0-APPLE-P2 <<>> @4.2.2.2 repos.company.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44840
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;repos.company.org.           IN      A

;; ANSWER SECTION:
repos.company.org.    300     IN      A       XXX.XX.XXX.XX

;; Query time: 89 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sat Feb  6 09:59:56 2010
;; MSG SIZE  rcvd: 53

Querying the same Name Server from the inside:

[jroberts@INSIDEHOST ~]$ dig @4.2.2.2 repos.company.org

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.1 <<>> @4.2.2.2 repos.company.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3528
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;repos.company.org.           IN      A

;; ANSWER SECTION:
repos.company.org.    300     IN      A       192.168.0.16

;; Query time: 96 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sat Feb  6 10:00:03 2010
;; MSG SIZE  rcvd: 53

Problem solved!

This is one of those magical solutions that works as advertised.  I wish they weren’t so rare.

DNS Rewriting is a simple and elegant solution that can save you time and energy. You can read more about it on Cisco’s website.

February 6th, 2010 | Category: SysAdmin | Leave a comment

Bulk adding users to Google Apps Premier

My company is making a small jump from Google Apps Standard this morning to the Premier service, but because we are taking the opportunity to change the domain name, we are forced to do a migration.  This is really not a big deal compared to the mail migrations I have done in the past, in fact it’s minor.  I have learned however that mail always needs lots of attention or else it will bite you.

I have to add about sixty users to Gmail, so I worked up a CSV file with username, first, last and temporary password fields the latter of which I pasted randomly generated passwords from PerfectPasswords.  This list will get uploaded to Google to create all the new account and set the temp passwords, but there is no service to then email the old accounts and provide this info to the user.  So I knocked up a little perl script to parse the csv file,  which I called ‘output.csv’ (the output from my awk script that I used to create it) and email each person in the list and give them their credentials. here is the script:

#!/usr/bin/perl
use strict;
use Net::SMTP;

read_file();

exit;

sub read_file
{
    open(FILE, "output.csv") or die("Unable to open file");
    my @data = <FILE>;
    for my $lines (@data) {
        chomp($lines);
        if($lines =~ m/^Username/) {
            next
        }
        my @line = split (',', $lines);
        email_report(@line);
    }
    close(FILE);
}

sub email_report
{
   my ($uname,$first,$last,$passwd) = @_;

   my $email_address = "$uname\@yourdomain.org";
 

   my $smtp = Net::SMTP->new("mailsrv.yourdomain.org",
                       Hello => 'sending.serverdomain.org',
                       Timeout => 60);
   $smtp->mail("from_address\@yourdomain.org");
   $smtp->recipient("$email_address");
   $smtp->to("$email_address");
   $smtp->data;
   $smtp->datasend("From: from_address\@yourdomain.org\n");
   $smtp->datasend("To: $email_address\n");
   $smtp->datasend("Subject: !! Important !! New Email Account Information\n");
   $smtp->datasend("\n");
   $smtp->datasend("New email day is here!\n");
   $smtp->datasend("Your email is going to your new account \"\@newdomain.org\".\n");
   $smtp->datasend("Below is how you log into your account for the first time. Please take time to do this now. \n");
   $smtp->datasend("\n");
   $smtp->datasend("Click the link below\n");
   $smtp->datasend("http://mail.google.com/a/newdomain.org\n");  
   $smtp->datasend("Your Username is: $uname\n");
   $smtp->datasend("Your Temporarry Password is: $passwd\n");
   $smtp->datasend("Your new email address is: $name@newdomain.org\n");
   $smtp->datasend("If the information above is incorrect or you have trouble logging in see a Mail Team member.\n");
   $smtp->dataend;
   $smtp->quit;
}
January 22nd, 2010 | Category: SysAdmin | Leave a comment

Great iPhone app for regex testing.

This is a great little utility to have on your iPhone.  It’s called Regexen and it is a tool that allows you to enter some text, and then cook up a regex that will match it.  You can then mail it out to your own email account or a co-worker.  It also has a handy regex cheat sheet.  The app is only $.99 and, in my opinion, well worth it.   http://majestysoftware.com/Regexen.shtml

regexn

November 7th, 2009 | Category: SysAdmin | Leave a comment

Converting from Apache to Nginx

I’ve decided to migrate Vim-Fu.com (WordPress) from Apache to Nginx for a couple of [...]

October 17th, 2009 | Category: SysAdmin | Leave a comment

A Scalable DNS scheme for Amazon's EC2 Cloud

We are gearing up for the “next phase” release of our EC2 deployment and I’ve taken the opportunity to re-think the scheme based on my experiences over the last 8 or so months of using EC2. I have come up with something that is FAR better in my [...]

September 19th, 2009 | Category: EC2 Related | 4 comments

editing remote files

This is a pretty cool little feature.  I am not sure how often it will come into play, but I like it and I thought I would share it.

To edit a file on a remote machine that you have ssh access to, do this:

vim scp://remote_host/filename

Simple as that. Supported protocols are: scp, sftp, ftp and http [...]

August 28th, 2009 | Category: Vim Tricks | Leave a comment

using macros in VIM

Repetitive tasks can be annoying and are easily mitigated using the macro functionality in VIM.

For our simple example, let’s count 1 to 10 with each number on a new line.  This will make use of the Auto-increment functionality, discussed in a previous post entitled increment/decrement numbers in VIM, which is CTRL-a and yy, which yanks the [...]

August 22nd, 2009 | Category: Vim Tricks | One comment

editing a bash command from the CLI using VIM

Ever have a very long shell command that when you run you realize has a mistake right in the [...]

August 12th, 2009 | Category: SysAdmin, Vim Tricks | 3 comments

selecting and writing out a portion of a file

Selecting and writing out a portion of a file into another one, or acting on it in some other way is a very handy thing to know how to do in VIM. There are many actions that you can perform, which will save you loads of time, if you just know some basics about [...]

August 1st, 2009 | Category: SysAdmin, Vim Tricks | Leave a comment

commenting out multiple lines in vim

Visual block mode is a great tool when commenting out a section of code, large or small, all at once.

Look at this section of code from a script I am writing. Let’s say I wanted to comment out everything you see.

I start with my cursor on the “%” and enter visual [...]

August 1st, 2009 | Category: Vim Tricks | Leave a comment
 
  Older Entries »