How to set up a stealth DNS Server using Mac OS X Server Leopard?
Hello,
I took over IT administration for a small company four month ago. We run two XServes under Leopard (current version: 10.5.5) in the house. Domain and Website are hosted separately outside at two other companies and I have full access to all configurations for our domains.
I found DNS service to be configured with duplicate SOA and internal users not to be able to reach our own website using the plain domain name. I decided to change this.
I was not able to reach my goal using the options given in Server Admin. It seems to me that I should be able to define an A record on domain level rather than on hostname level. This not being possible results in wildcard resolution such as typo.ourdomain.com pointing to our webserver not being available from internal network. I guess that Apple is doing wrong here.
I have not digged into the bind configuration underneath, because this is a live setup and I have only short times where I can try out things to avoid service disruption, especially when it comes to DNS with its long caching times.
The intended result is described here: <http://www.zytrax.com/books/dns/ch4/index.html#stealth>. They call it a stealth or a DMZ or a split configuration. I dont know the canonical name for this but I guess that split configurations describes it best.
I have found threads with very similar questions in this discussion group, especially this one: <http://discussions.apple.com/thread.jspa?messageID=8028381>, but I was not able to derive a solution from this. Also I felt it to be to complicated to describe my issue as a modification of the question discussed there.
Here are all the details:
I have set up my public DNS as SOA with an A record pointing to our website which has an IP address of its own. The only other entry apart from that is our MX record which points to a host name in our second domain which is mapped (in forward and reverse direction) to our second fixed IP address. Mailservice works as intended (well, there are problems, but they are not related). The setup of the public DNS is complete as of my perspective.
We have a DSL router and a line with a fixed IP address. The router does DHCP for the whole internal network including clients to be reached through our central switch directly and clients connected over two Airport Base stations. Our servers have fixed IP addresses from the same private subnet. The router does NAT. The fixed public IP address is not mapped as of now because I dont provide any service required outside on our primary server.
Currently I run DNS service on our primary server as a caching or forwarding server and I point all our clients to this server using DHCP on the router. To be honest I havent understood completely the difference between forwarding and caching, but I guess, this does not make a difference here. After all, I have no zone entries on this server. Well, that is not true either, the zone entries for the mail server as mentioned above are there.
Our primary server is reachable by its IP address and its .local name only as of now. I have got the idea that it should have a FQDN including reverse resolution, visible only internally. I want to have this running before moving the Open Directory service from our secondary (old) server to the primary server.
Ideally, inhouse DNS on the primary server should resolve absolutely the same way as our public DNS except for the single host name defined there. For all other domains it should cache answers.
This is, all requests for ourdomain.com and www.ourdomain.com and typo.ourdomain.com should resolve to the IP address of our webhosting provider, the MX entry should point to our mailserver and only primaryserver.ourdomain.com should resolve to the static private IP address of our primary server.
Obviously, primaryserver.ourdomain.com resolves to our webhosters IP address from outside much the same way as typo.ourdomain.com; this is intended behaviour. Additionally, our primary server should be selfconscious, id est, it should report its proper hostname primaryserver.ourdomain.com in terminal and elsewhere.
I strongly believe, that my setup is downright archetypal and should be included as a sample setup in the documentation. I have worked my way through it once but could not find it described there. Maybe I will try again, but for the time being, I would be very happy for any advice I could get here.
Bye, Christian
I took over IT administration for a small company four month ago. We run two XServes under Leopard (current version: 10.5.5) in the house. Domain and Website are hosted separately outside at two other companies and I have full access to all configurations for our domains.
I found DNS service to be configured with duplicate SOA and internal users not to be able to reach our own website using the plain domain name. I decided to change this.
I was not able to reach my goal using the options given in Server Admin. It seems to me that I should be able to define an A record on domain level rather than on hostname level. This not being possible results in wildcard resolution such as typo.ourdomain.com pointing to our webserver not being available from internal network. I guess that Apple is doing wrong here.
I have not digged into the bind configuration underneath, because this is a live setup and I have only short times where I can try out things to avoid service disruption, especially when it comes to DNS with its long caching times.
The intended result is described here: <http://www.zytrax.com/books/dns/ch4/index.html#stealth>. They call it a stealth or a DMZ or a split configuration. I dont know the canonical name for this but I guess that split configurations describes it best.
I have found threads with very similar questions in this discussion group, especially this one: <http://discussions.apple.com/thread.jspa?messageID=8028381>, but I was not able to derive a solution from this. Also I felt it to be to complicated to describe my issue as a modification of the question discussed there.
Here are all the details:
I have set up my public DNS as SOA with an A record pointing to our website which has an IP address of its own. The only other entry apart from that is our MX record which points to a host name in our second domain which is mapped (in forward and reverse direction) to our second fixed IP address. Mailservice works as intended (well, there are problems, but they are not related). The setup of the public DNS is complete as of my perspective.
We have a DSL router and a line with a fixed IP address. The router does DHCP for the whole internal network including clients to be reached through our central switch directly and clients connected over two Airport Base stations. Our servers have fixed IP addresses from the same private subnet. The router does NAT. The fixed public IP address is not mapped as of now because I dont provide any service required outside on our primary server.
Currently I run DNS service on our primary server as a caching or forwarding server and I point all our clients to this server using DHCP on the router. To be honest I havent understood completely the difference between forwarding and caching, but I guess, this does not make a difference here. After all, I have no zone entries on this server. Well, that is not true either, the zone entries for the mail server as mentioned above are there.
Our primary server is reachable by its IP address and its .local name only as of now. I have got the idea that it should have a FQDN including reverse resolution, visible only internally. I want to have this running before moving the Open Directory service from our secondary (old) server to the primary server.
Ideally, inhouse DNS on the primary server should resolve absolutely the same way as our public DNS except for the single host name defined there. For all other domains it should cache answers.
This is, all requests for ourdomain.com and www.ourdomain.com and typo.ourdomain.com should resolve to the IP address of our webhosting provider, the MX entry should point to our mailserver and only primaryserver.ourdomain.com should resolve to the static private IP address of our primary server.
Obviously, primaryserver.ourdomain.com resolves to our webhosters IP address from outside much the same way as typo.ourdomain.com; this is intended behaviour. Additionally, our primary server should be selfconscious, id est, it should report its proper hostname primaryserver.ourdomain.com in terminal and elsewhere.
I strongly believe, that my setup is downright archetypal and should be included as a sample setup in the documentation. I have worked my way through it once but could not find it described there. Maybe I will try again, but for the time being, I would be very happy for any advice I could get here.
Bye, Christian
Mac mini G4, Mac OS X (10.5.5)
