Video - Configuring DNS in Mac OS X Server 10.6
This is a follow up to my previous post. I had some requests for a screencast, so I made one.
3651 views and 8 responses
Dec 30 2011, 12:46 PMvjl (Twitter) responded:Great video! I have a question, though. What if one is setting up a Mac OS X 10.6 Server behind a NAT router on a connection that has a static IP and a reverse DNS for that hostname?
Eg: I have a server, dargo.vjl.org, which is accessible via a public IP. But it sits behind a router and has a 192.168.0.x address. I'm in the process of setting up this Mac mini to replace a Linux box that is currently behind the router [there are actually several computers behind the router and the router does port forwarding so that certain services are provided by different computers - the Mac mini server will be providing nearly all those services, once I get it installed].
What I had setup was similar to your examples for non-public configurations. Eg: primary zone name of vjl.lan. and the machine name of dargo. But when running some of the tests to confirm things are setup properly, reverse DNS would state [correctly] that the hostname was dargo.vjl.org since that's how everyone outside the 192.168.0.x subnet sees the machine.
To complicate matters more, the Mac mini server is going to provide DNS services [because the ISP's DNS servers are not reliable] to the other 192.168.0.x systems plus a couple that exist outside the NAT router [the connection has 5 static IPs - dargo.vjl.org is one of the 5 hosts, as there is also stark, crichton, etc, but they are not living behind the NAT router]. The mac mini server will also be a secondary DNS server [ns2.vjl.org] serving name resolution for about 100 domains that are hosted on a co-located server about 50 miles from here [which also runs as ns1.vjl.org - not using BIND9 though, but using tinydns which means i need to figure out how to send updates/zone transfers to the mac mini's BIND DNS server].
Anyway, I guess my question is: should I set the primary zone name to vjl.org. and not vjl.lan.? If I do do that, will the other 192.168.0.x systems be able to use the mac mini as a DNS server [and also access the other services, like ical server, etc, that i wish to run on the mac mini].
Thanks for any info you can provide! :)
Dec 30 2011, 9:13 PMMike Boylan responded:Thanks for the comment! Glad you found the video useful.
This type of setup would be the "split-horizon" view of DNS. I would write out a long explanation, but someone has already done that for us (how helpful!) here:
Server Admin uses one default public view of DNS. I always wished for Apple to add a section for creating multiple views within the Server Admin DNS GUI, but alas, they never did. A split-horizon DNS configuration will have to be done at the command line.
I'd recommend picking up a copy of the DNS and BIND book from O'Reilly if you don't have a copy. It's super informative and covers things like split-horizon DNS in detail.
Hope this helps!
Dec 30 2011, 9:34 PMvjl (Twitter) responded:Thanks, Mike! I've got multiple tabs open on the DNS subject and I've seen references to "split-horizon" DNS, but I hadn't found that explanation yet. I'll go and read it right now.
I've used tinydns for so long [on a linux server] that i never bothered to learn BIND [tinydns is another open source dns server written by the same guy who wrote qmail; though i am not a qmail fan, tinydns and dnscache are wonderful and i've been able to configure multiple domains with them very easily, plus use dnscache for DNS services here in the SOHO, though with the mac mini server in place, i'll be using that instead since it will be a bit quicker].
I've got a copy of DNS & BIND, but it's from 1992 [i started sysadmining SunOS, Xenix, and AIX systems back in 1990!], and back then I used it in a "fire and forget" type of way - got the systems configured they way they needed to be and learned no more than I was required to [just like sendmail, sadly - but that's why i learned and became very knowledgable in postfix and tinydns :-) ].
Anyway, I'm off to read that site and reconfigure the Mac mini sitting next to me. I'd love to start the new year off with this system in production. Thank you so much for the quick reply and for the great articles. I've added this site to my RSS reader, as I consider myself a newbie w/ regards to Mac OS X Server [i am much more comfortable with vim and text files, when administering a server!], so the fact that I must configure DNS via the command line is the best news I've heard all day. :)
Dec 30 2011, 9:36 PMvjl (Twitter) responded:p/s - sorry for the paragraphs not breaking correctly. Apparently hitting <enter> twice doesn't work here - need some HTML? [will test it with my sign-off!].
Dec 30 2011, 9:41 PMMike Boylan responded:Yeah Posterous kind of sucks. I've been meaning to take this site offline and redirect it to my main site again which I'll be redesigning and relaunching early this year. I just haven't had the time yet.
Let me know how it turns out! I've never personally configured it that way from scratch. In my environment now we use fancy systems from F5 to do all of our external to internal address translation and querying. We do use split views of DNS as well, but I don't personally manage nor interact with the BIND servers. I just maintain one zone, mac.rmu.edu and it's internal only so it's easy enough for me to just use the GUI most of the time.
Dec 30 2011, 9:55 PMvjl (Twitter) responded:I actually have a Posterous account [that i hardly use!] and forgot I could have logged in that way; maybe it would have let me edit my comments to include a nicer paragraph break [which is controlled by the 'p' HTML element].
I'll let you know how it turns out. I may actually blog about it, as I want to get back into doing that [it's been over 7 years since my last blog post and i enjoy writing, plus when doing things like this, i like to put what i learned up on the web so that others can benefit from it or suggest things i should have done, etc;i am in the habit of taking careful notes when configuring systems, but those notes are not usually for the public eyes' since they have IPs, etc, in them, and when things go a bit bad, they have me venting about why i didn't do X before I did Y and now Z is broken etc :) ]
So far, reading the article, this appears to be exactly what I need. I'm going to have to see if I should delete what I currently have in Server Admin before doing everything. Thanks again for the link. I'm disappointed I hadn't found it in all my searches, but I'm very glad you did! :)
Jan 23 2013, 6:22 AMThierry responded:Thanks a lot for this video Mike. It helps me a lot
Apr 9 2013, 9:11 AMKevin Maybury responded:I have a server that I set up some time ago but appears that the DNS server settings have broken. Is there a procedure to follow for fixing this? Apple's documentation keeps pointing to scutil but I can't find any good examples of how to use this.