pts

Q: DNS server problems

When I turn on DNS using the server.app, and then set my clients to use this server for DNS, they draw a blank.  Has anyone actually gotten DNS server to work on 10.8??  Why is there no easy-to-find howto from Apple on setting this up? Anyone have any resources they can point me to?

Posted on Aug 17, 2012 11:11 PM

Close

Q: DNS server problems

  • All replies
  • Helpful answers

  • by redshift82r,

    redshift82r redshift82r Aug 18, 2012 5:34 AM in response to pts
    Level 2 (325 points)
    Aug 18, 2012 5:34 AM in response to pts

    I can only point you to Charles blog for just about everything Mountain Lion Server

     

    http://krypted.com/mac-os-x-server/managing-dns-using-mac-os-x-mountain-lion-ser ver/

  • by pts,

    pts pts Aug 18, 2012 8:01 AM in response to redshift82r
    Level 1 (0 points)
    Aug 18, 2012 8:01 AM in response to redshift82r

    How can I wipe every *%$& DNS related file clean, to start from scratch? I don't have anything I need to save, with respect to DNS server. I just want to get the thing working, and it doesn't.  I want to blank it all, and try from the beginning.

     

    If I select "show all records" using the gear icon on the DNS server.app page, I see the following (my server that I'm trying to get this to work on is named: "myserver.located.here"):

     

    Primary Zone: myserver.located.here

    myserver.located.here nameserver

     

    Primary Zone: myserver.located.here.                       [why is there a period at the end? what is the difference?]

    myserver.located.here nameserver

    myserver.located.here.myserver.located.here. machine            [huh?? note the trailing period again]

     

    Primary Zone: located.here

    myserver.located.here machine

    myserver.located.here nameserver

     

    Reverse Zone: 1.1.168.192.in-addr.arpa

    192.168.1.1 reverse mapping

    myserver.located.here nameserver

     

    Reverse Zone: 1.1.168.192.in-addr.arpa.                    [another period...]

    192.168.1.1 reverse mapping

    myserver.located.here nameserver

     

    Reverse Zone ###.###.###.in-addr.arpa

    ###.###.###.### reverse mapping

    myserver.located.here nameserver

     

     

    When I try to get clients outside my local network (I don't have a local network, so they are all outside my local network) to use this server (myserver.located.here) as their DNS lookup, they get nothing.

     

    Any ideas?

  • by pts,

    pts pts Aug 18, 2012 8:18 AM in response to pts
    Level 1 (0 points)
    Aug 18, 2012 8:18 AM in response to pts

    Am I right that if this DNS server were working correctly, and if I set it up to "perform lookups for all clients", then a client located in some other network, if told to use my DNS server, would be able to resolve things?

     

    When I do this, the clients don't respond when I try to access, e.g., websites from their browsers.  Why might the DNS server not be serving clients, if the "perform lookups for all clients" option is selected, and the clients have the server as their DNS server?

     

    What should I be looking at to see why this isn't working?

  • by JaimeMagiera,

    JaimeMagiera JaimeMagiera Aug 18, 2012 3:01 PM in response to pts
    Level 2 (305 points)
    Aug 18, 2012 3:01 PM in response to pts

    Have you looked at the DNS traffic on the client to verify it is querying the server? Have you looked at the DNS traffic or logs on the server to see what is happening there? Get dirty with it.

  • by redshift82r,

    redshift82r redshift82r Aug 18, 2012 4:04 PM in response to pts
    Level 2 (325 points)
    Aug 18, 2012 4:04 PM in response to pts

    You haven't described what you are "serving" and why you would want to point machines located outside your network to your server for DNS serving.  It WOULD work if they VPN in.  It SHOULD not work for external machines if they don't as a general rule.

     

    The . means a Fully Qualified Domain Name.  It can't "resolve" further.  It's necessary for dns to operate correctly.

     

    Have a look at this article for a better understanding of DNS under OS X Server.

    http://labs.hoffmanlabs.com/node/1436

  • by pts,

    pts pts Aug 18, 2012 7:04 PM in response to redshift82r
    Level 1 (0 points)
    Aug 18, 2012 7:04 PM in response to redshift82r

    OK, I'll take a look at that link, but it looks like a slog.

     

    Here is what I'm trying to do:  I have a 4 workstations in my small academic research lab. They are located in different rooms (my lab is physically split into different parts of a building).  I thought it would be nice to have Open Directory running on one of them, so that I don't have to duplicate user accounts on all the machines.  However, I can't get Open Directory working. Someone suggested that I needed to get DNS working first, so here I am.

     

    Now, I don't understand the logic behind why an OS X DNS server can only serve clients that are in a walled off subnet behind the server's firewall. This can't be generally true of all DNS servers, right?  How is it that I can get my clients and server to query my University's DNS server, (or google's 8.8.8.8) even if it isn't on the same subnet, and it works fine?  Why should the OS X server be any different? I take it however, from what you said, that OS X's DNS service is specifically set up differently, so that it WON'T respond to clients that it doesn't serve as the firewall for (i.e., the gatekeeper for a 192.168... subnet or whatever). 

     

    So I don't actually care about this, except that I'd love to have Open Directory running.  Is it true that Open Directory won't serve machines that are outside of the server's firewall, even if they are on the same local network that the server sits on? 

     

    Are you saying that VPN is the only way to get Open Directory to work? 

     

    Sorry for all the questions. I'm not an IT person, it just seemed like Open Directory would simplify my life.  I'm thinking it won't (at least in the short run)!

  • by pts,

    pts pts Aug 18, 2012 7:05 PM in response to JaimeMagiera
    Level 1 (0 points)
    Aug 18, 2012 7:05 PM in response to JaimeMagiera

    JaimeMagiera wrote:

     

    Have you looked at the DNS traffic on the client to verify it is querying the server? Have you looked at the DNS traffic or logs on the server to see what is happening there? Get dirty with it.

     

    I'm not sure how to do this.  Can you expand a bit about how this could be done?

  • by Camelot,

    Camelot Camelot Aug 19, 2012 12:58 AM in response to pts
    Level 8 (47,337 points)
    Mac OS X
    Aug 19, 2012 12:58 AM in response to pts

    Is it true that Open Directory won't serve machines that are outside of the server's firewall, even if they are on the same local network that the server sits on?

     

    No, you're misunderstanding several important elements.

     

    First and foremost, Open Directory requires valid forward and reverse DNS for both the server and clients.

    It doesn't matter whether those clients are on a direct-connect ethernet link, in the same subnet, or across the country as long as they can resolve the server's address, and the server can resolve theirs.

     

    That's where the DNS server component comes into play. You don't actually need to use Mac OS X's DNS server at all - it's just BIND, after all, with nothing specifically 'Apple' about it. Any DNS server that knows your LAN addresses would be fine. However, that's what precludes you using Google DNS, or any ISP address - they just won't know your LAN addresses/hostnames.

     

    Are you saying that VPN is the only way to get Open Directory to work?

     

    No. Not at all. However, you have to consider security. If your users are on a remote LAN, not directly connected to your network, then how are they going to connect to your server? Over the public internet?

    That means you're going to open ports in your firewall to allow random internet connections to your directory server? That's not a good idea since you'll be hit with numerous probes against your server trying to compromise all the user accounts on there. That's why you might prefer a VPN, but it isn't a pre-requesite.

     

    As for the DNS server itself:

     

    OS X's DNS service is specifically set up differently, so that it WON'T respond to clients that it doesn't serve as the firewall for

     

    That's not strictly true. Out of the box, Mac OS X's DNS server config is set to only respond to DNS requests from local networks. That's because 99% of the time it's what you want (and, IIRC, is BIND's default anyway).
    However, that doesn't mean that's the only way the server will ever work. It's just a matter of editing the configs (either via the GUI or command line) to tell it what client addresses it should respond to. It's perfectly valid to have Mac OS X's DNS server respond recursively to every DNS request from any client anywhere, if that's what you want to do.

    If you change the server to respond to any requests (or, at least, requests from the remote LANs), then clients in those LANs can query this server for DNS, get valid lookups for your server, and everything will be fine.

     

    Or just make sure that the campus DNS servers know the address of your server and clients, and have everyone use the campus DNS servers.

  • by pts,

    pts pts Aug 19, 2012 8:35 AM in response to Camelot
    Level 1 (0 points)
    Aug 19, 2012 8:35 AM in response to Camelot

    Thanks for all this - really helping me understand things better!

     

    You wrote: "It doesn't matter whether those clients are on a direct-connect ethernet link, in the same subnet, or across the country as long as they can resolve the server's address, and the server can resolve theirs"

     

    and a bit later: "Any DNS server that knows your LAN addresses would be fine."

     

    But this is true now. This doesn't explain why Open Directory on the server isn't responding to the clients. There must be some other configuration I need to do to get this to work, right?

     

    You then wrote: "However, that's what precludes you using Google DNS, or any ISP address - they just won't know your LAN addresses/hostnames."

     

    But the DNS server we use now DOES know all the clients and server - they all have FQDN's and static IP's from my University.  So this isn't the problem.

     

     

    You also wrote: "That means you're going to open ports in your firewall to allow random internet connections to your directory server? That's not a good idea since you'll be hit with numerous probes against your server trying to compromise all the user accounts on there."

     

    OK, two questions:

     

    1) Is a VPN, which in this case would be operating on the same University subnet (it isn't across the country or even across town) be significantly slower than NOT using a VPN, and doing it the unsecure way using FQDN's on the open internet?  I believe, by the way, that the University itself is a protected network (I have to VPN from home if I want to access anything).  So it is possible this would be relatively safe?

     

    2) If I insisted on doing the unsecure way (not using a VPN tying my 4 machines together), is there some way I could limit the server to ONLY respond to requests from my other 3 client machines?  And just be silent to all other requests?  If so, how might this be done?

     

     

    Finally, you wrote: "Or just make sure that the campus DNS servers know the address of your server and clients, and have everyone use the campus DNS servers"

     

    So this is true right now. I am not averse to using the command line if necessary to edit files. Where can I get info about where these are, and which ones to edit in what ways?

     

    Thanks for any pointers you can give!

  • by JaimeMagiera,

    JaimeMagiera JaimeMagiera Aug 19, 2012 8:54 AM in response to pts
    Level 2 (305 points)
    Aug 19, 2012 8:54 AM in response to pts

    The DNS server log lives at /Library/Logs/named.log. You can view it from the terminal. You should also be able to see the the log in Server.app, under Logs. The log will show you any errors. If you really wanted to get technical, you could edit the named configuration file to increase logging (regrettably, the new Server.app doesn't provide the ability to change log settings). To do a simple test of access, from the command line of a client machine, type "host <a.machne.in.dns.tld> <IP number of the DNS server> (e.g. "host node2.sensoryresearch.net 63.208.160.186") What is the response? To watch a DNS transaction in progress, install Wireshark on the server. Configure it to watch the DNS port (53). Do a lookup from a client machine. What does the traffic show you? DNS is a call and response process. You should be able to go step-by-step to see what's going on (assuming the server can be accessed at all).

  • by Camelot,

    Camelot Camelot Aug 19, 2012 9:48 PM in response to pts
    Level 8 (47,337 points)
    Mac OS X
    Aug 19, 2012 9:48 PM in response to pts

    and a bit later: "Any DNS server that knows your LAN addresses would be fine."

     

    But this is true now. This doesn't explain why Open Directory on the server isn't responding to the clients. There must be some other configuration I need to do to get this to work, right?

     

    That's quite likely - and something that requires a deeper understanding of your university network and the links between the various locations. Since the original post was focussed on DNS it makes sense to clarify (or eliminate) that path first.

    So, if all your machines can obtain a fully-qualified domain name for your server (including reverse lookup), even if not using your own DNS server then the problem is likely not DNS.

     

    1) Is a VPN, which in this case would be operating on the same University subnet (it isn't across the country or even across town) be significantly slower than NOT using a VPN

     

    Not significantly slower, no. The overhead of the VPN connection is trivial, and likely outweight by bandwidth constraints between the locations.

     

    and doing it the unsecure way using FQDN's on the open internet?  I believe, by the way, that the University itself is a protected network (I have to VPN from home if I want to access anything).  So it is possible this would be relatively safe?

     

    If your university network is all firewalled and VPN-protected then the chances are, yes, you're good to go. However, validation of that statement requires an understanding of the respective network(s). For example, it isn't enough to say "the university has a VPN, therefore everything is safe" if there's some other direct path to the server that doesn't require VPN.

     

    2) If I insisted on doing the unsecure way (not using a VPN tying my 4 machines together), is there some way I could limit the server to ONLY respond to requests from my other 3 client machines?  And just be silent to all other requests?  If so, how might this be done?

     

    Yes, although it can be a little tricky. It would most likely involve configuring the firewall on the server to block Open Directory requests from all addresses other than 'known trusted' addresses. If the client machines are on dynamic/floating IP addresses then that option largely goes out of the window.

     

    Thanks for any pointers you can give!

     

    The next place I'd look is at the network level, on both the client and server. Run a tcpdump on the server to identify what Open Directory traffic is coming in on the wire. Run the same thing on the client. Check that every packet the server sends out is received by the server (and vice versa). If it isn't then there's likely some firewall or other packet filter in the path. It isn't uncommon for edge switches or routers at each building to block unknown/unexpected protocols, so it may just be that you need to talk to the network admins to unblock Open Directory requests between buildings. A tcpdump will help clarify that.