1

I bought an old xserve with 10.5 server. I have followed all the books and tutorials online, but none of them seem to explain setting up name servers for use outside of my network (I would like to run a dev server that other people can use)

I have a 2wire modem that is plugged into the switch for my local network. My server and clients are connected to this switch. The 2wire is set up to send any DNS (port 53) and http traffic to my server 192.168.1.120 (should this server be set up under DMZ??)

I have my server dns set up like this : primary zone - mydomain.com., server1.mydomain.com. - machine - 192.168.1.120, www - Alias - server1.mydomain.com. The reverse shows : 192.168.1.120 - server1.mydomain.com

I have web service running and have tried many settings, but ended up going back to the default so that any http request going to 192.168.1.120 return the default page.

I went to godaddy.com and to change my name servers for the domain I needed to add hosts. So I added ns1.mydomain.com and ns2.mydomain.com pointing to my static ip and changed the name servers from godaddy to ns1 and ns2.

Since there is nothing to handle ns1 and ns2 on my server, I added nameservers ns1.mydomain.com. and ns2.mydomain.com. on my server under the primary zone mydomain.com.

Now I can enter ns1.mydomain.com or ns2.mydomain.com into any browser and I get the default page inside or outside of my network.

I can only hit www.mydomain.com or server1.mydomain.com from inside my network and when I check DNS with whatsmydns.com on these, it shows the internal ip of 192.168.1.120 for some reason. Which makes sense why I can not get to it.

When I try mydomain.com on either internal or external from my network I get nothing, and whatsmydns.com shows nothing as the DNS value.

So now I am really confused where the issue is. Since ns1.mydomain.com works and mydomain.com does not, it almost seems like mydomain.com is not really being forwarded to my name server at all. Except that I can see server1.mydomain.com pointing at the internal network. What am I doing wrong here? Why does it seem that anything now being used as a name server over at godaddy pointing to internal ips?

Sorry for the long post, would appreciate any help.

camilian
  • 113
  • 4

2 Answers2

3

The DNS interface in Server Admin.app is not suitable for doing a split-horizon DNS configuration. It simply doesn't expose all of the flexibility of bind that you need to pull off such a configuration.

If you poke around the bind config files on your OS X Server, you'll be able to see how apple has set them up so that you can edit them directly without confusing the GUI. /var/named contains zone files that you may edit, and they include corresponding files in /var/named/zones which you should not edit. They've done something similar for /etc/named.conf and the files in /etc/dns/.

Having said that, I recommend not doing both internal and external resolving for split-horizon DNS on your server, mainly because:

  1. It's kind of complicated, and you lose any convenience you had when you were able to use the GUI exclusively

  2. You have NAT, which makes it even more complicated

  3. There are solutions available from third parties that are better-performing, cheap/free, and more robust

In my organization, we use DNS in Mac OS X Server extensively for the internal part of a split-horizon setup. We use the "Advanced DNS" part of a network solutions account for the external part. It comes free with the domains we've purchased, and has redundancy and speed far greater than what I could justify for hosting a handful or externally-resolving names myself.

lukecyca
  • 2,185
  • 13
  • 20
  • thanks, I ended up using the advanced dns at godaddy for external. Perfect solution. Just wished my horrible 2wire modem would allow VPN forwarding now – camilian Dec 14 '09 at 23:23
  • Good to hear. BTW, it's good form to "check" the answer you end up using... :) – lukecyca Dec 15 '09 at 00:02
2

This isn't really a MacOS X problem, it's more a NAT and split DNS issue.

You need to reconfigure BIND to use "views" with two different versions of your zone file, such that access from inside your network gives the 192.168.1/24 (internal) addresses, but requests forwarded from outside (via your 2-Wire router) give out your static public IP.

acl internal {
    127.0.0.0/8;
    192.168.1.0/24;
};

view "internal" {
    match-clients { internal; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/internal/db.mydomain.com";
     };
};

view "external" {
    match-clients { any; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/external/db.mydomain.com";
    };
};

This example culled from http://www.howtoforge.com/two_in_one_dns_bind9_views, which also has more information.

Alnitak
  • 20,901
  • 3
  • 48
  • 81
  • ah! thanks, will need to do some research on how to do this in OSX server. Have yet to try to do anything outside of the pretty interface. I know that is bad... but nice for a newbie – camilian Nov 25 '09 at 00:46
  • ok I have been researching this. I am a little hesitant to change the files outside of the osx server admin because apple states "For Mac OS X Server 10.3 or later, you should use the Server Admin application to configure DNS and NAT. " Have anyone set up split dns in the server admin? – camilian Nov 25 '09 at 19:45
  • I've been running BIND 9 views under Mac OS X 10.5 Leopard Server (migrated from 10.5 Tiger Server) and it works fine, but Server Admin asks if you want to "upgrade" your DNS configuration. I believe it'd strip the custom views from the configs, but I've not tried. You certainly can't manage the views from Server Admin, AFAICT. – morgant Nov 27 '09 at 19:48