User profile for user: Zeph Bender
Zeph Bender Author
User level: Level 1
33 points

DNS not forwarding requests

I put my ISP's two DNS servers in the Forwarder IP Address field in DNS Settings, but DNS requests don't ever make it out of the network. Local machines with DNS records have no problem being seen. This seems straightforward, but clearly I'm missing something; not sure where to look anymore. Any help will be greatly appreciated.

Xserve 2.8 quad-core, Mac OS X (10.5.2)

Posted on Apr 12, 2008 1:50 PM

Reply
4 replies
User profile for user: Leif Carlsson
Leif Carlsson
User level: Level 5
4,954 points

Apr 13, 2008 12:12 AM in response to rkovelman

That's not a good practise.

The DNS server should only have it's own IP in Network prefpane.

(The forwarders are used to offload resolving of all external domains to the ISP DNSes.)

If you put in public IP DNSes in Network prefpane they could be used by the server to try to resolve (private IP and/or) internal only names/domains of which they know nothing.

I would prefer to use 2 internal DNS (master/slave) primary/secondary and send/use those two IPs to/on all LAN clients. Both could be setup to use the same ISP forwarders
Reply
User profile for user: Leif Carlsson
Leif Carlsson
User level: Level 5
4,954 points

Apr 13, 2008 12:41 AM in response to Zeph Bender

If your LAN clients use your server for DNS only that server needs to be able to reach Internet DNS for resolving.

If you try to reach Internet from LAN clients and you have a firewall/NAT router in place that NAT router/Firewall needs to now how to forward returning DNS answers to the originating LAN client.

If using OS X firewall - the server is the gw/NAT router - this used to be a problem.

Depending on wich (preset) firewall rules used the firewall could block some traffic including these DNS answers.

Before discovering the keep-state capability in ipfw rules I then setup a rule that said something like:

allow udp from any 53 to <(Private IP) LAN network IP-range/subnet> in

but if using a rule like:

allow ip from <(Private IP) LAN network IP-range/subnet> (in) keep-state

dynamic temporary rules are created instead for any traffic LAN clients have originated.

As all LAN clients and the server should use the server internal/it's own DNS this should only be used to see if the ISP DNS allow recursion (answering your requests) or test the internal DNS servers ability to use ISP DNS for lookups:

host <IP or name/FQDN you want to lookup>. <DNS server you'll like to test if allowing recursion or not>

If your internal DNS is behind another (ipfw) firewall that firewall of course need to let returning DNS answer packets in.


HTH
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

DNS not forwarding requests

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up