Split DNS cant resolove external web site

Friends:

I must be doing something wrong with my DNS setup. I have a Split DNS with both my website EXAMPLE.com and my server as EXAMPLE.COM. I can resolve to my intranet site by typing example.com and that works fine, but when I try to resolve to my external site I get a error when I type www.example.com .

I am running SL 10.6.4 on the new mac mini server

Primary zone: Example.com
Name Server: Zone=Example.com NS:Server.example.com.

DNS ENTRIES:
Machine record: Machine Name=example.com. IP=192.168.0.2
Alias: Name=www Destination= 7.74.184.000

I doubled check our intranet, is simply the wiki server. I have two sites defined.

1) One is on port 80 with IP of 192.168.0.2 that forwards every incoming request to our second site. I used a ALIAS with a RedirectMatch with a pattern of (^/(.*)$) to point our https://mobile.example.com site. There are no options or web services running on this one site.

2) The second site is on port 443 with the IP of 192.168.0.2 which runs the wiki server. It uses SSL of course and has the Wiki, Blogs and Calendars options enabled.

Here are my new dig responses

*****Dig example.com ****** (Everything seems OK here)
; <<>> DiG 9.6.0-APPLE-P2 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8993
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 10800 IN A 192.168.0.2

;; AUTHORITY SECTION:
example.com. 10800 IN NS Server.example.com.

;; ADDITIONAL SECTION:
Server.example.com. 10800 IN A 192.168.0.2

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 26 09:56:06 2010
;; MSG SIZE rcvd: 90

**********Dig www.example.com ************
; <<>> DiG 9.6.0-APPLE-P2 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20964
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.example.com. IN A

;; ANSWER SECTION:
www.example.com. 10800 IN CNAME 97.74.184.000.example.com.

;; AUTHORITY SECTION:
example.com. 3600 IN SOA Server.example.com. steve.example.com. 2010082602 86400 3600 604800 3600

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 26 09:58:50 2010
;; MSG SIZE rcvd: 118

Any one with insight into my issues? Again I don't understand why when I dig www.example.com I get the IP address of where it is suppose to point to but I also get example.com. appended to the end of it as seen here...97.74.184.000.example.com.

thanks all for at least taking a look at my problems...

Steve

Mini server 2010, Mac OS X (10.6.4)

Posted on Aug 26, 2010 10:20 AM

19 replies

MrHoffman

Level 10

146,437 points

Oct 31, 2010 11:04 AM in response to David Schwartz5

By "+coordinating … with the domain registrant+" do you mean point to a public facing DSN server that you maintain?

No. I mean the domain registrant; the organization or individual that has the domain registration. Witness the number of times you'll see folks use mydomain.com or other domains; domains that are registered. "Making up a domain" can sometimes be a surprisingly difficult prospect, too.

Put another way, when you're using DynDNS, you're coordinating your use with the domain registrant.

But collision would do nothing other then prevent users on your LAN from accessing sites living beneath that matching top level domain. So if your internal server is <server.northmainoffice> and five years from now someone begins offering netizens pages from <www.server.northmainoffice>, being unable to route to that machine might not be a deal breaker. But yes, it's worth serious consideration.

DNS works because everybody (usually) plays by the rules. DNS is one of the few areas where - if you mess up - you can end up disrupting another site, or blowing another site off the 'net. In your example, should any bogus DNS stuff leak out of your LAN, you can end up blowing the folks off the Internet, and they'll be cranky.

Does "two DNS-Servers" mean two individual OS X Server machines on-site? One, with two network interfaces, acting as the gateway, and one inside the local network? That would be a trade-off in cost and complexity to be weighed against touching the VPN button on iOS.

Mac OS X stinks as a gateway. I discourage folks from even trying that. (Look around the forums. You'll find, for instance, that Mac doesn't differentiate the ports and will open up services on all ports, which means you can end up exposing traffic on the outside of your server.)

This is NOT connected to whether you're running a VPN; a firewall can terminate a VPN or can pass it through. Having a VPN server embedded in the firewall is convenient, and it avoids (some of) the "fun" with the massive hack that is NAT.

Which are the setups that work with only a single server and a single dynamic IP address?

Stuff that's not blocked by the ISP, and stuff that's not particularly concerned with network security.

What options require a static IP?

Anything where you have involving mail, or security-based protocols or certificates; where the rDNS matters.

What configurations work with a single server facing outwards and inwards?

Eh? You're either inside the network demarcation, or outside. If you're the firewall, you also have to watch everything you do; installations or reconfigurations or opening ports and patches and whatever. Unlike an external firewall, where you have to connect to it to make these changes, a general-use server tends to see some configuration churn, and that churn can open up network exposures.

What tasks can be shared with hosting provider DNS servers?

Whatever you want, up until you have sufficient load on the DNS servers; either sufficient load on the DNS to make everything else slow, or sufficient load elsewhere to make DNS slow. That's usually a fairly substantial load.

What configurations require two physical OS X Server boxes?

Those where you'd like continued uptime and DNS access when one of your servers is down for repairs or maintenance or upgrades.

If you have suggestions how I could rewrite or reword or rework that article, well, I'm interested. It seems everybody goes blowing right past the discussion of the network demarcation, and the recommendation for the external firewall.

Oct 31, 2010 5:33 PM in response to MrHoffman

Thanks very much for the helpful website MrHoffman!

Following your directions I now have DNS running, but I have a question. You say "The only references to your ISP DNS servers or to Google DNS or such will be as forwarding entries within your DNS server configuration."

How then does my server know where to get "outside" DNS entries? My server is indeed working, with only my internal zone defined and System Prefs > Network > DNS Server set to 127.0.0.1. I am also pointing my Airport Extreme to the new server DNS service and all appears to be working, but where is the server getting its DNS data?!?

MrHoffman

Level 10

146,437 points

Oct 31, 2010 9:00 PM in response to axelessbaum

You're done. No DNS forwarders required.

Your DNS server can and does communicate (directly) with other DNS servers.

I've reworded the text you were reading from, to try to alleviate the confusion.

Gxxfy

Level 1

10 points

Nov 1, 2010 1:07 AM in response to MrHoffman

@David: Usually even small businesses already own a domain name, eg. example.com. This domain is probably being hosted by an ISP - the ISP's DNS in place for requests made from the WAN. I call this DNS-1.

If you're setting up collaboration services inhouse, you - of course - have to set up the DNS of the OS X server (I call this DNS-2). You could then use a generic TLD as example.lan which is quite uncool as such a domain name cannot be resolved publicly. So what to do?

You will set up DNS-2 as DNS for the example.com-zone too. Just make sure that your devices in the LAN are using the OS X server as DNS. You then are able to set up a CNAME for each service (if needed), eg ical.example.com.

And what about leaving the office, with a laptop and/or an iPhone? Well, you have to make sure that this CNAME - ical.example.com - is also available on the public DNS, DNS-1. Many ISP and/or hoster won't allow you to edit the zone information - but the nice ones will 🙂 This CNAME will point to the offices static IP, and your router/firewall will forward the port (eg 8443) to the OS X server in the LAN.

This is (simplified) what I meant with two DNS-servers in place: you're able to resolve a domain-name, as ical.example.com, just from anywhere - because in the LAN, your DNS-2 is resolving the name, and in the WAN your DNS-1 does the same.

So this setup needs a static IP in the customer's office - but only one DNS (DNS-1). You just have to make sure that you're able to edit the zone on the public (DNS-2) server from your hoster.

@axelessbaum: Your DNS directly connects to the root-servers. You can find the config file in /var/named/named.ca. You might want to update the addresses sometimes with dig or something else (dig . ns > /var/named/named.ca).

Regards
Roman

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Split DNS cant resolove external web site