FQDN, DNS and Routing

My question is - how do I setup FQDNs for each of these machines

You install a DNS server - any of your Macs can do this.

Do I setup these FQDNs (and corresponding local IPs) on the router?

This has nothing to do with your router.

Do I need to setup A records for these

Yes.

Do I have to setup FQDNs on the Macs

Well, you'll kind of get this via DNS...

and then route their IPs on the Router

If these machines are all on the LAN it has nothing to do with your router.

Also, can I use this same DNS server to configure another FQDN for a non-Mac device?

You're configuring host name translations to IP addresses, and IP address translations to host names.

And DNS is DNS.

The DNS clients are oblivious to the particulars of the DNS server(s) in use, and the clients largely care only if a DNS server is reachable (more than one can be configured for redundancy), and if there's a DNS translation returned, or not.

I would also need to host a RSA SecurID appliance along with these Macs and I need an FQDN setup for that too.

That widget also involves LDAP, which means tie-ins to that directory service, or a configuration with that device and another LDAP service, whether Mac OS X Server and Open Directory, or Microsoft Active Directory, or some other mechanisms.

DNS is usually fairly easy. LDAP can get a bit more interesting, and somewhat more complex.

If you're messing with an RSA SecurID appliance, then you may already have DNS services available on your network. That box isn't typical SOHO gear, after all. And if there are DNS services on the local network, then Mac OS X and Mac OS X Server (and most any other box, what with DNS being DNS) are quite willing to use the existing DNS servers.

And if you need to configure to interoperate and particularly to share LDAP with an existing LDAP configuration on a Microsoft Active Directory or Open Directory infrastructure, then you're into a configuration that is a step or two up from getting DNS going, or getting baseline LDAP going.

This can then lead to the so-called golden triangle configuration, too.

Hi

If you're contemplating AD-OD Integration and if AD is already present and mature you would not use OSX Server's built-in DNS Service. The DC would be providing this (amongst other services) anyway. You'd reserve an IP address and create appropriate records for OSX Server there as well as hostnames you may want for client workstations.

Tony

Since you appear to already have DNS for your existing AD infrastructure, why are you setting up a second DNS server configuration here?

The following applies +if you do not already have DNS services+ on your local area network.

@Hoffman, I used that link to pretty much setup everything there. I believe everything went smoothly.

Something failed.

Once I followed those steps, I added the Mac as the ONLY DNS server on my Router. I was able to get access to the other Macs on my LAN (via FQDNs) both from the LAN and externally too.

Routers know nothing about DNS. Routers route packets, and those packets might be, well, anything.

Firewalls are specialized routers that have programmable packet loss capabilities.

But to be pedantic, routers and firewalls know nothing about DNS.

Now as for DHCP servers, services which are often embedded in gateway boxes, now those can ask for the address of a DNS server, so that they may provide that to DHCP clients. If your gateway is serving DHCP, that configuration would make sense.

However, my Internet does not work in this case.

That means DNS is wrong, or IP routing is wrong.

My forwarders are pointing to the DNS servers that my ISP provided on the Mac (under localnets).

Forwarders exist for a couple of reasons. They can serve to slow down your network connection (by adding an extra "hop" into the translations), or to connect to caching DNS servers (which might be useful, particularly if a zillion hosts are all making the same general DNS translations; if not, you get that extra "hop" here), or as a way to connect to a DNS server that also implement nanny filters.

When first getting going with local DNS services, none of these will generally apply.

Put more simply, don't use forwarders until and unless you need to.

However, when I add both the Mac IP and ISP-DNS IPs as my DNS Servers in my Router, I get connected to the Internet, but I am not able to get to the local Macs with their FQDNs. I get a '400-Bad Request' html page.

Don't mix DNS servers in one specification. When you list multiple servers all listed together in a configuration or set-up somewhere, the specified DNS servers should be peers, and operating with the same zones and same hosts. Mixing your own DNS server(s) and remote DNS servers means, for instance, that you get the local values sometimes, and the remote values otherwise, and you're never sure which you'll get.

Your DNS server(s) are the point of contact with the remote DNS servers.

That 400 is an HTML error which implies you're getting connected to (guessing) the gateway.

Which implies an IP routing problem of some sort. Could be an external address, and a gateway that's not smart enough to re-NAT it. Or an IP addressing error. Or a DNS translation error.

What is your IP address space, and what are the addresses of your gateway or router, your DNS server, and your client.

Do the troubleshooting dig commands listed in the article get you more information on the configuration?

And for completeness, what is the setting of the DNS server on the DNS server itself? That must be 127.0.0.1 on the network controller, and only on that host. What is the DNS server setting on the clients? If the clients aren't using the DNS server received from the local DHCP server (or haven't received an update since the DHCP setting changed) they can have the wrong DNS address here.

However, I tried accessing these machines from an external network (via FQDNs). In this case, I get the '400-Bad Request'. Any possible configurations I have missed (NAT policy??)?

The '400-Bad Request' is arising from what? The result of entering something (what?) into a web browser on the remote client? The usual trigger for the HTTP 400 is ill-formed input browser URL; something got to a web server (somewhere), and the HTTP 400 code is the web server's code for the huh? status.

To confirm, these hosts are operating externally, and you are attempting to connect inward through the gateway (into a web server?)? The connections are clearly getting to something, so see if it's your web server by checking your web server logs.

The [configuration for external-facing DNS differs|http://labs.hoffmanlabs.com/node/1594] from that of local DNS services, as your local DNS server(s) are not (outside of the use of a VPN or such to connect into your LAN) likely going to be accessible or visible outside, nor authoritative. That's something best left to your ISP.

And if you're not on a business-class tier of service, it's fairly common for an ISP to block server-oriented protocols.

The DHCP server must provide the address of the DNS server for the subnet.

Having two different sets of DNS servers (local and ISP) will not work.

As for the HTTP 400 error, that makes little sense to me. Without context around the network path and the command input and the IP addressing involved for that error, there can be various possible causes.

I'd suggest calling somebody in; DNS and an IP network setup with Comcast Business as the ISP is not a large effort, and that'll get you online. If you choose wisely, you'll get somebody that will spend some time explaining how these pieces work, and how DNS and IP and routing fit together.