Split DNS cant resolove external web site

Question

Level 1

4 points

Split DNS cant resolove external web site

Friends:

I must be doing something wrong with my DNS setup. I have a Split DNS with both my website EXAMPLE.com and my server as EXAMPLE.COM. I can resolve to my intranet site by typing example.com and that works fine, but when I try to resolve to my external site I get a error when I type www.example.com .

I am running SL 10.6.4 on the new mac mini server

Primary zone: Example.com
Name Server: Zone=Example.com NS:Server.example.com.

DNS ENTRIES:
Machine record: Machine Name=example.com. IP=192.168.0.2
Alias: Name=www Destination= 7.74.184.000

I doubled check our intranet, is simply the wiki server. I have two sites defined.

1) One is on port 80 with IP of 192.168.0.2 that forwards every incoming request to our second site. I used a ALIAS with a RedirectMatch with a pattern of (^/(.*)$) to point our https://mobile.example.com site. There are no options or web services running on this one site.

2) The second site is on port 443 with the IP of 192.168.0.2 which runs the wiki server. It uses SSL of course and has the Wiki, Blogs and Calendars options enabled.

Here are my new dig responses

*****Dig example.com ****** (Everything seems OK here)
; <<>> DiG 9.6.0-APPLE-P2 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8993
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 10800 IN A 192.168.0.2

;; AUTHORITY SECTION:
example.com. 10800 IN NS Server.example.com.

;; ADDITIONAL SECTION:
Server.example.com. 10800 IN A 192.168.0.2

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 26 09:56:06 2010
;; MSG SIZE rcvd: 90

**********Dig www.example.com ************
; <<>> DiG 9.6.0-APPLE-P2 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20964
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.example.com. IN A

;; ANSWER SECTION:
www.example.com. 10800 IN CNAME 97.74.184.000.example.com.

;; AUTHORITY SECTION:
example.com. 3600 IN SOA Server.example.com. steve.example.com. 2010082602 86400 3600 604800 3600

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 26 09:58:50 2010
;; MSG SIZE rcvd: 118

Any one with insight into my issues? Again I don't understand why when I dig www.example.com I get the IP address of where it is suppose to point to but I also get example.com. appended to the end of it as seen here...97.74.184.000.example.com.

thanks all for at least taking a look at my problems...

Steve

Mini server 2010, Mac OS X (10.6.4)

Posted on Aug 26, 2010 10:20 AM

Reply

Answer 1

Phishin4dmb Author

Level 1

4 points

Aug 26, 2010 10:42 AM in response to Phishin4dmb

Almost forgot I have the following CNAME records as well.

mobile -> steakhaus.com.
Ichat -> steakhaus.com.
Ical -> steakhaus.com.
address -> steakhaus.com.
mail -> ghs.google.com.

Reply

Answer 2

Sep 15, 2010 6:31 AM in response to Phishin4dmb

Did you get this resolved?

I'm having a VERY similar issue. I spent two hours on the phone with Apple Enterprise support to absolutely no avail.

I can resolve to our corporate website externally (as well as all of our services - i.e. iChat/iCal/Address Book, etc.) with no problem. If I try to use the external DNS name INTERNALLY, it fails.

Reply

Answer 3

Sep 15, 2010 11:12 PM in response to Jeremy Pihl

If you "reuse" your domainname internally and have an "internal only" DNS you need to add the public server names and IPs to the internal DNS.

This is because the internal DNS thinks it's responsible for the domain and wont go to any public IP DNS for further lookups. So it thinks "missing records" doesn't exist.

If you were hosting your own public IP domain DNS it can be setup with different views so that internal IP records (separate view from the public view) lookups are allowed only from the private IP range (your LAN) and the rest from both LAN and Internet (WAN).

There is also subdomain delegation to other DNS so that example.com DNS "forwards" / delegates subdomain.example.com to an other DNS.

It would have been nice if you could slave the public IP DNS to your internal one and then add internal IP records, but that's not possible.

Reply

Answer 4

MrHoffman

Level 10

146,137 points

Sep 16, 2010 6:01 AM in response to Jeremy Pihl

Leif is (of course) correct; your DNS server is authoritative, and it doesn't have an entry, so you won't get the reply for the address unless you add it. Here is [Configuring DNS on Mac OS X Server|http://labs.hoffmanlabs.com/node/1436], and includes setting up this configuration; what is often called split-brain or split-horizon DNS services.

Reply

Answer 5

robmacs

Level 1

46 points

Sep 23, 2010 3:28 PM in response to MrHoffman

So would the same thing happen if I setup my SL with bogus DNS name like server.whocares.private. Which works... But I then went out a purchase a domain name like sampicture.com, how would I add that to my SLS without reinstalling the OS.

And would it cause any problems.. I would like to setup to get my cal on my iphone & my understanding is you need a real domain name to complete that kind of setup?

Reply

Answer 6

Oct 27, 2010 1:30 PM in response to MrHoffman

MrHoffman wrote:
Leif is (of course) correct; your DNS server is authoritative, and it doesn't have an entry, so you won't get the reply for the address unless you add it. Here is [Configuring DNS on Mac OS X Server| http://labs.hoffmanlabs.com/node/1436 ], and includes setting up this configuration; what is often called split-brain or split-horizon DNS services.

Mr. Hoffman, thank you for the invaluable service you provide to us here on the boards.

I am attempting to deploy this same configuration; small office behind NAT, SLS inside with DNS configured to use the company's registered name. The only machines in the zone so far are those on the private LAN, and everything works except requests to external machines that host this company's web and mail from service providers.

I have read and re-read the helpful node/1436 document, and in the split-brain box Description box you write:

"you can have a public static IP address for www.example.com in
your external and public DNS, and second host entry with a private
static IP address for www.example.com within your network."

Afterwards there are crystal clear steps to configure lookup services for the machines on the local network, but I cannot see how/where/what I add to allow "www.example.com" and "mail.example.com" to be resolved by a DNS sever that knows the public IP address of these machines in the cloud (we have neither www.examle.com nor mail.example.com inside the LAN).

Since I don't run authoritative DNS for this domain in the outside world, I can't know what the numerical IP address of the public "www.example.com" server will always be, so I can't configure my zone with a number, can I? Is the forwarder supposed to handle this (it doesn't seem to)?

The box states:
"This approach is effective, though will collide only with your public domain. "

Can you share the steps that are necessary to resolve those collisions?

Reply

Answer 7

MrHoffman

Level 10

146,137 points

Oct 27, 2010 3:42 PM in response to David Schwartz5

I am attempting to deploy this same configuration; small office behind NAT, SLS inside with DNS configured to use the company's registered name. The only machines in the zone so far are those on the private LAN, and everything works except requests to external machines that host this company's web and mail from service providers.

To confirm: the only network component operating on your network that refers to any external DNS services is your DNS server, correct?

Afterwards there are crystal clear steps to configure lookup services for the machines on the local network, but I cannot see how/where/what I add to allow "www.example.com" and "mail.example.com" to be resolved by a DNS sever that knows the public IP address of these machines in the cloud (we have neither www.examle.com nor mail.example.com inside the LAN).

Um, you're setting out here to run a split-horizon DNS configuration.

That means your DNS server is authoritative for the zone.

Your DNS server won't ask external servers, because (wait for it...) it's the authoritative DNS server for the zone. (This is what Leif Carlsson references with the "missing records" in the earlier reply; this is what DNS geeks call "authoritative"; that the DNS server is told that it has all the answers for the specified domain.)

Your DNS server either has the translation and the IP address, or it doesn't.

That's how split-horizon works. (Or doesn't work, in some cases.)

Split-horizon DNS is to DNS translations what NAT is to IP addressing. The horizon (or the brain) that you're splitting here indicates that you will get different DNS responses, depending on what part(s) of the network the query originates from. That's, well, the goal of a split-horizon configuration.

Split-horizon is also why you can need to add public IP addresses into your private DNS configuration, and why you need to track external host names from external DNS.

This is also why I tend to run two different zones and two different domains (or a domain and subdomain) here. One inside. One outside. Less confusion, arguably. What's private and inside and what's public and outside the firewall is immediately obvious.

Since I don't run authoritative DNS for this domain in the outside world, I can't know what the numerical IP address of the public "www.example.com" server will always be, so I can't configure my zone with a number, can I? Is the forwarder supposed to handle this (it doesn't seem to)?

But you are running authoritative DNS for the domain. Split-horizon is just that.

And FWIW, it can be beneficial to have two DNS servers around, too; a primary and a secondary. That way, your local network doesn't end up hosed when your (sole) DNS server is offline for, well, whatever reason it's offline for.

Reply

Answer 8

MrHoffman

Level 10

146,137 points

Oct 27, 2010 5:35 PM in response to MrHoffman

I've updated the web page with a section to (attempt to) clarify this; thanks.

Reply

Answer 9

Oct 27, 2010 8:27 PM in response to MrHoffman

Sir,

Thank you for providing an authoritative (grin!) answer for this.

In an era when Apple is selling gobs of sweet little thousand dollar servers, more and more owners are going to be in the same situation as the business I'm describing; working behind consumer grade DSL on a non-static IP address using consumer grade routing/translating hardware, using OS X Server for internal-only collaborative services (calendar, address book, files, etc) while having critical public facing services (i.e. web and mail) hosted by service providers with their hardened data-centers and qualified staff. Such non-enterprise businesses have no business being authoritative for any publicly accessible domain; that would be much better handled by their hosting provider or registrar.

Given that split-brain is inappropriate for a shop that doesn't want to maintain any public facing services, which remaining name choice would be best practice?

Should it be <example.net>, registering a name just to reserve it for ourselves?
Should it be <xyzzy>, making sure that the bogus TLD is very, very bogus?

The first requires a bit of annual expense and attention, kind of a waste for a name that will never be routed through the tubes.

The second allows for some whimsy in selecting a TLD (server.rootbeerfloat? server.bananasplit?), and given the small size of the "entire infrastructure" might be the less complex choice?

And a last (somewhat related) question: as I'm being asked to fix this by the business owner who approached things the wrong way, will SLS allow me to "clean out all of the zones" currently entered in this running (but not deployed) server to start over with a different domain name? I'm not averse to wiping the drive and configuring from scratch with Server Assistant, but if I can save time by doing all this without rebooting/reinstalling (since the machine doesn't have an optical drive) it would be nice to know.

With much respect,

David

Reply

Answer 10

MrHoffman

Level 10

146,137 points

Oct 28, 2010 5:34 PM in response to David Schwartz5

Given that split-brain is inappropriate for a shop that doesn't want to maintain any public facing services, which remaining name choice would be best practice?

My preferred practice is a real and registered domain, or a subdomain of a real and registered domain. (One of yours, or one where you are coordinating a subdomain or the whole domain with the domain registrant.) That acquisition is a cheap investment, and it means you'll never collide with another domain, and (if you should eventually decide to allow some services to become visible outside your LAN) you're playing by the public rules and you have have options that don't require you rename everything.

Picking a bogus domain is tougher than it looks, and (if you're unlucky with your choice) a real TLD can be activated and can then collide with your domain. I'd be flabbergasted if there weren't more of TLDs coming on-line in the upcoming years; that's been the [general direction IANA seems headed with gTLDs|http://en.wikipedia.org/wiki/Generic top-leveldomain]. Which means that bogus TLDs like xyzzy might eventually be bought and brought online.

This is why I prefer to run two different zones and two different (registered) domains (or a domain and subdomain of a registered domain) here. One domain inside your firewall perimeter. One outside. This is less confusion, in my possibly perverse view. What's private and inside and what's public and outside the firewall is immediately obvious from the domain name (or subdomain name) used.

As for cleaning out DNS zones, sure. Nuke and pave. That's the easy part. But that's not where the "fun" is. These domain name references tend to get embedded everywhere. Which is why changing this domain stuff can get hairy, particularly as you add devices and services to your network.

Reply

Answer 11

Gxxfy

Level 1

10 points

Oct 30, 2010 6:33 AM in response to MrHoffman

In most split-brain-setups we're using here, our clients outsource their mail-server and (public) websites, regardless of the possibility to host them inhouse. If that's the case, it might be worth to add something about MX-Records in a split-brain-setup:

the internal DNS for the zone must provide an MX-Record for the zone, eg mail.example.com, and - of course - an A record for exactly this hostname (mail) which points to the (external) hoster's IP of the mailserver.

Regards
Goofy

Reply

Answer 12

MrHoffman

Level 10

146,137 points

Oct 30, 2010 7:00 AM in response to Gxxfy

Yeah, that MX stuff gets back to what Leif Carlsson references with the "missing records".

And that's (also) (part of) why I use a different (subdomain) domain within the perimeter; so I don't have to deal with that.

This is DNS. There is (within certain edges and parameters) No One Right Way to do it.

Reply

Answer 13

Gxxfy

Level 1

10 points

Oct 30, 2010 7:24 AM in response to David Schwartz5

Hello David

I don't agree that (small) businesses like the ones you're describing don't have any need of "being authoritative" for their zones - maybe not FOR the public, but FROM the public.

Why should I set up collaboration services internally only when they're not accessible from the outside? Just think of calendars: my customers are getting sick (sorry) of being forced to start the VPN connection on their iPhones - to view their calendar...

So what do to? In a split-brain setup they can reach "internal only" resources (as iCal) always with the same - their own - domain name, which seems to be quite important because its less confusing; eg ical.example.com. And with two DNS-Servers in place, it doesn't matter where the request is being made from (LAN or WAN).

Of course I could a use a separate domain for such a scenario too - but then we're not talking about split-dns anymore. And, in my opinion, its quite uncool 😉

Regards
Roman

Reply

Answer 14

Gxxfy

Level 1

10 points

Oct 30, 2010 7:33 AM in response to MrHoffman

That's right!

I think I do have some uncertainty of the terminology "split-dns": while using a different ⚠ internal domain, I cannot talk about a split-dns, right?! Just unsure because you mentioned in this post that you're not using same domain names internally and externally.

Regards
Roman

Reply

Answer 15

Oct 31, 2010 9:09 AM in response to MrHoffman

MrHoffman wrote:
My preferred practice is a real and registered domain, or a subdomain of a real and registered domain. (One of yours, or one where you are coordinating a subdomain or the whole domain with the domain registrant.)

By "+coordinating … with the domain registrant+" do you mean point to a public facing DSN server that you maintain?

...if you're unlucky with your choice) a real TLD can be activated and can then collide with your domain

But collision would do nothing other then prevent users on your LAN from accessing sites living beneath that matching top level domain. So if your internal server is <server.northmainoffice> and five years from now someone begins offering netizens pages from <www.server.northmainoffice>, being unable to route to that machine might not be a deal breaker. But yes, it's worth serious consideration.

Gxxfy wrote:
with two DNS-Servers in place, it doesn't matter where the request is being made from (LAN or WAN).

Does "two DNS-Servers" mean two individual OS X Server machines on-site? One, with two network interfaces, acting as the gateway, and one inside the local network? That would be a trade-off in cost and complexity to be weighed against touching the VPN button on iOS.

-
What I find missing in most of these discussions (including, respectfully, the critically important node/1436 reference document) is consideration of the infrastructure necessary for the different DNS options. Some of the questions I still have include:

Which are the setups that work with only a single server and a single dynamic IP address?
What options require a static IP?
What configurations work with a single server facing outwards and inwards?
What tasks can be shared with hosting provider DNS servers?
What configurations require two physical OS X Server boxes?

I know this is intuitive for some. But as I noted upthread there are more and more OS X Server owners coming on line due to Apple's aggressive product offerings; for them it can be a challenge to get it right.

Reply