Do I need to run DNS on a colo server being accessed remotely via VPN?

Question

Level 1

6 points

Do I need to run DNS on a colo server being accessed remotely via VPN?

My Mac Mini Server is located in a colo site. We generally use it for Web, email and a couple of application-specific services. It has a dedicated IP address. We have a separate DNS service we use to point to the domains on the server located remotely from the server. Forward and reverse lookups work fine from the server, even though the local DNS service is turned off.

However, we now have a couple of things we want to access remotely on the server via VPN (for example, some files via AFP). The firewall blocks remote AFP requests (using the built-in firewall, not a separate box). We can connect via VPN without problems. However, AFP does not work. If I allow AFP in the firewall and try to connect, no problems at all.

Since the Mini is located by itself and will never likely have anything connected to a "local network" (never running DHCP, etc.), there generally doesn't seem to be a need to run DNS on the server.

I suspect the problem is that when you VPN into the server you are on its "local network", whatever that means, so the DNS does not resolve since the local DNS service is not running. However, I am not positive of this.

Must we run local DNS? Does it have to mirror the remote DNS that we currently reference? Can we somehow "reference" the local DNS from VPN clients trying to access local services?

I hope this question makes some sense.

MacBook Pro, Mac Mini with Snow Leopard Server, Mac OS X (10.6.6), HP C4280 Printer

Posted on May 18, 2011 1:30 PM

Reply

Answer 1

May 18, 2011 5:02 PM in response to Morris Zwick

For many of its services and basic operations, Mac OS X Server needs and wants to have DNS available.

Those DNS services don't need to be self-hosted, but that's one of the available option. (Specific details here depend on whether this host is using a public static IP address, or a private LAN and private IP address.)

If DNS is self-hosted, the overhead of DNS services are negligible, and the setup is easy. If this server has a public static IP address, then public DNS services are entirely appropriate.

And VPNs are based on DNS; that's part of how the client and the server and the certificates sort out trust.

Exposing your file system (via AFP, SMB or otherwise) out to the Internet isn't something I'd recommend.

Oh, and it's a whole lot (more) effort to unsnarl an existing and evolved configuration that should have had DNS and didn't, than getting DNS working (self-hosted or otherwise) from the onset.

Reply

Answer 2

Morris Zwick Author

Level 1

6 points

May 18, 2011 8:11 PM in response to MrHoffman

Thanks MrHoffman for your reply (and I have looked at much of the very helpful stuff you have posted about DNS and SLS on these boards).

I do have a DNS for my domains (pointing to the server's fixed IP address) located on another server on the Internet. When on the server, forward and reverse DNS checks out fine. I don't run DNS locally since there is no local network. It wasn't until I wanted to use VPN to access services other than mail and web that I started to wonder if running a local DNS made sense.

So... if I VPN into the server, which allocates a local set of addresses (even without DHCP running), does the DNS need to run on the server or can the client logged in via the VPN still get services from the server by referencing the DNS hosted over the Internet? I am guessing perhaps no, since the local "network" created by the VPN is not accessible to the Internet.

If this is the case, is the best solution to replicate the DNS entries from my hosted DNS on the SLS DNS, then turn the local DNS service on? Since the domains are registered with the remote DNS server, I am assuming that having both the remote DNS and the local SLS DNS running the exact same tables will not cause a problem.

I really DON'T want to expose AFP to the Internet: I want to get to it via VPN. My test was to see if services where not accessible from the "local" network created by the VPN.

Thanks!

Reply

Answer 3

May 19, 2011 7:48 AM in response to Morris Zwick

Ok, my long(er) response got eaten by a back button or some Safari error somewhere, so I'll (re)post the highlights here.

Either you have valid DNS services or you don't, and Mac OS X Server and many of the authentication- and security-related protocols and tools can tend to get cranky if you don't.

Either you have your Mac or another box acting as a router or not.

Either there's NAT here, or not.

If your Mac has only a public static IP address and if sudo changeip -checkhostname returns its no changes required status, you're OK.

If you have private IP addresses active here (irrespective of the VPN into the server) and are operating the Mac as a router or gateway router, then you will need to have DNS on both the public side and on the private side.

If it's not clear from the above details, I don't yet understand your particular network configuration; I see references which imply NAT might be active, and others which don't, for instance. I'm guessing that this Mac OS X Server box is either acting as a network gateway-NAT-router box, or that there's a gateway-NAT-router box in front of it.

What I've seen of VPN connections into a server don't usually allocate local IP addresses on a local LAN. The box you're connecting into acts as a router, and uses the host addresses. (I've not seen one that particularly does that, but...)

A VPN connection into a gateway router box can tend to allocate local IP addresses, if the VPN device is also implementing NAT. This gives the box a way to associate the remote client with the local IP address and the local LAN activity; with what amounts to a virtual host on the local LAN that acts as a proxy for the remote VPN client box.

This is your box, of course, so you're free to do whatever you want; you know your needs and requirements and expectations best. If it were mine, I'd ensure sudo changeip -checkhostname worked; that the Mac OS X Server box thinks it has valid DNS.

Reply

Answer 4

Morris Zwick Author

Level 1

6 points

May 20, 2011 9:53 AM in response to MrHoffman

Bear with me please.... 🙂

The Mac Mini is in a data center on a shelf, getting a direct connection to the Internet via ethernet with a fixed IP address (under the covers, I suspect that the data center is using some sort of router or switch, but I am not paying for a hardware firewall or other gateway). There is no local network for the Mini. It is not running DHCP, not handing out NAT addresses, etc. DNS is currently off. Rather than using the local DNS, the Mini is resolving its DNS needs with a DNS server located at another site, over the Internet. This seems to work fine (i.e., changeip confirms it is working and services seem to work).

I am currently using the software firewall built into SLS.

I want to turn on VPN so that remotely located computers can access services on the Mini without having to make the services visible through the firewall.

I am able to connect devices via VPN with little difficulty (iPhones, Macs, etc.). However, when I try to access services (let's use AFP as an example), I cannot access them UNLESS they are allowed through the firewall. This tells me that I am not seeing the services through the VPN, but rather through the Internet directly.

What I meant by "local network" is that the VPN allocates local IP addresses when devices log into the VPN service (10.0.x.x). There is no DHCP allocating these addresses, just VPN.

My question is: why can I not see the services on the Mini blocked by the firewall when successfully logged into VPN on the server? Isn't the whole point of the VPN to gain access to services behind the firewall?

I am guessing (with no particular information to support my thesis) that somehow without DNS running on the Mini, VPN clients are unable to access services on the Mini. I do not know for sure, however, if this is the problem. If it IS a problem, then the question is whether I should completely copy the DNS entries from the remote DNS server to the Mini and start the service. Will that solve the issue? Create conflicts with the DNS (since it is now located on both a remote service and on the Mini)? It certainly will create a maintenance headache since now I will have to maintain the DNS in both places.

I am hesitant to migrate all of my DNS services to the Mini (because I will also have to go to the domain registrars to change where they point, etc.) to eliminate the remote one. And I am not sure it will solve this problem anyway.

Sorry for all of the typing!

Reply

Answer 5

May 21, 2011 9:01 AM in response to Morris Zwick

I'd suggest running a traceroute and see which path the connections to the server are taking. This should be via the VPN (tunnel), if the tunnel is operating correctly.

Alternatively, switch the VPN connection to route all traffic via the VPN.

Please review the VPN client set-up on the client via System Preferences. In particular, select Networks, then the VPN and then select Advanced and see if the "send all traffic" over the VPN is selected in Options (and as a test, select it), and post the settings you see under VPN on Demand (if any), TCP/IP, DNS and if you have anything checked under the Proxies setting.

On reviewing the thread, I don't see which VPN protocol has been selected here, nor details on the VPN itself. I would tend to expect L2TP or PPTP would be selected here, though there are other options.

What I meant by "local network" is that the VPN allocates local IP addresses when devices log into the VPN service (10.0.x.x). There is no DHCP allocating these addresses, just VPN.

There is no DHCP involved, and no private addresses with the typical client-to-host VPN configuration; that does not involve private IP addresses.

Reply

Answer 6

Morris Zwick Author

Level 1

6 points

May 24, 2011 6:36 PM in response to MrHoffman

I am running the built in SLS VPN, L2TP and MS-CHAPv2 Authentication, 128-Bit MPPE encryption and a Shared Secret.

I ran Traceroute to the server with "Send all traffic" on and off, and the route to the server was identical in both cases. Even with "Send all traffic" on, no services available if blocked by the Firewall

VPN on Demand is empty.

TCP/IP:

Configure IPv4 = Using PPP

IPv4 Address = 10.0.2.100 (I set up a range from 10.0.2.100-150 in the VPN on the server)

Router = <same IP address as the server's dedicated IP>

Configure IPv6 = Automatically

DNS is empty

Proxies is all unchecked and blank EXCEPT that "Use Passive FTP Mode (PASV)" checked ON.

Reply

Answer 7

Morris Zwick Author

Level 1

6 points

Jun 3, 2011 6:45 AM in response to Morris Zwick

MrHoffman I read through the SLS Manual (again) and determined that the only way to gain services on the server via the VPN is to create a local network, even without local clients, in order to create a local address range. Which means a "split" DNS as you describe here: http://labs.hoffmanlabs.com/node/1436

Currently my SLS uses my external DNS to resolve it's IP for services so that changeip yields a good answer. Your explanation is straightforward and implementable for creating an internal domain in the DNS.

However... if I originally configured my server using the public IP and external FQDN for services such as Open Directory, am I going to be able to change those services to using a new (internal) domain name and IP address that the local DNS would now serve, or will I have to reinstall SLS from scratch and set everything back up again?

Thanks!

Reply

Answer 8

Morris Zwick Author

Level 1

6 points

Jun 3, 2011 1:33 PM in response to Morris Zwick

OK, so I finally got this to work...

While I will eventually put a dedicated firewall device in front of the server, I am currently using the built-in firewall with a direct connection to the Internet, using a dedicated IP.

To get VPN services to work, I needed two things:

1) Create a split-brain DNS with the public-facing DNS hosted remotely using my Internet accessible IP address for my domain's zone, and a private-facing DNS on the SLS with the same zone entries mapped to a dedicated private IP address.

2) Creation of a second IP address mapped to the same Enternet port, using the private IP address.

The private IP address needs to be in the same IP range as the IP addressed doled out by the VPN. I also use a Network Routing Definition in the VPN to ensure that only traffic to this private address range goes through the VPN.

In the Firewall, I under services for "Any" I open the ports I want available (for example, web and mail, and of course VPN), and close things I do not want exposed. Then for my private network range I allow all services.

NAT and DHCP are not necessary since there are no other devices inside the private network: the only devices that have addresses in the private segment are coming through the VPN.

The only downer is that Bonjour does not advertise services over the VPN.

Hopes this helps someone else!

Reply