Skip navigation

Do I need to run DNS on a colo server being accessed remotely via VPN?

1053 Views 8 Replies Latest reply: Jun 3, 2011 1:33 PM by Morris Zwick RSS
Morris Zwick Calculating status...
Currently Being Moderated
May 18, 2011 1:30 PM

My Mac Mini Server is located in a colo site. We generally use it for Web, email and a couple of application-specific services. It has a dedicated IP address. We have a separate DNS service we use to point to the domains on the server located remotely from the server. Forward and reverse lookups work fine from the server, even though the local DNS service is turned off.

 

However, we now have a couple of things we want to access remotely on the server via VPN (for example, some files via AFP). The firewall blocks remote AFP requests (using the built-in firewall, not a separate box). We can connect via VPN without problems. However, AFP does not work. If I allow AFP in the firewall and try to connect, no problems at all.

 

Since the Mini is located by itself and will never likely have anything connected to a "local network" (never running DHCP, etc.), there generally doesn't seem to be a need to run DNS on the server.

 

I suspect the problem is that when you VPN into the server you are on its "local network", whatever that means, so the DNS does not resolve since the local DNS service is not running. However, I am not positive of this.

 

Must we run local DNS? Does it have to mirror the remote DNS that we currently reference? Can we somehow "reference" the local DNS from VPN clients trying to access local services?

 

I hope this question makes some sense.

MacBook Pro, Mac Mini with Snow Leopard Server, Mac OS X (10.6.6), HP C4280 Printer
  • MrHoffman Level 6 Level 6 (11,710 points)

    For many of its services and basic operations, Mac OS X Server needs and wants to have DNS available.

     

    Those DNS services don't need to be self-hosted, but that's one of the available option.  (Specific details here depend on whether this host is using a public static IP address, or a private LAN and private IP address.)

     

    If DNS is self-hosted, the overhead of DNS services are negligible, and the setup is easy. If this server has a public static IP address, then public DNS services are entirely appropriate.

     

    And VPNs are based on DNS; that's part of how the client and the server and the certificates sort out trust.

     

    Exposing your file system (via AFP, SMB or otherwise) out to the Internet isn't something I'd recommend.

     

    Oh, and it's a whole lot (more) effort to unsnarl an existing and evolved configuration that should have had DNS and didn't, than getting DNS working (self-hosted or otherwise) from the onset.

  • MrHoffman Level 6 Level 6 (11,710 points)

    Ok, my long(er) response got eaten by a back button or some Safari error somewhere, so I'll (re)post the highlights here.

     

    Either you have valid DNS services or you don't, and Mac OS X Server and many of the authentication- and security-related protocols and tools can tend to get cranky if you don't.

     

    Either you have your Mac or another box acting as a router or not.

     

    Either there's NAT here, or not.

     

    If your Mac has only a public static IP address and if sudo changeip -checkhostname returns its no changes required status, you're OK.

     

    If you have private IP addresses active here (irrespective of the VPN into the server) and are operating the Mac as a router or gateway router, then you will need to have DNS on both the public side and on the private side.

     

    If it's not clear from the above details, I don't yet understand your particular network configuration; I see references which imply NAT might be active, and others which don't, for instance.  I'm guessing that this Mac OS X Server box is either acting as a network gateway-NAT-router box, or that there's a gateway-NAT-router box in front of it.

     

    What I've seen of VPN connections into a server don't usually allocate local IP addresses on a local LAN.  The box you're connecting into acts as a router, and uses the host addresses.  (I've not seen one that particularly does that, but...)

     

    A VPN connection into a gateway router box can tend to allocate local IP addresses, if the VPN device is also implementing NAT.  This gives the box a way to associate the remote client with the local IP address and the local LAN activity; with what amounts to a virtual host on the local LAN that acts as a proxy for the remote VPN client box.

     

    This is your box, of course, so you're free to do whatever you want; you know your needs and requirements and expectations best.  If it were mine, I'd ensure sudo changeip -checkhostname worked; that the Mac OS X Server box thinks it has valid DNS.

  • MrHoffman Level 6 Level 6 (11,710 points)

    I'd suggest running a traceroute and see which path the connections to the server are taking.  This should be via the VPN (tunnel), if the tunnel is operating correctly. 

     

    Alternatively, switch the VPN connection to route all traffic via the VPN.

     

    Please review the VPN client set-up on the client via System Preferences.  In particular, select Networks, then the VPN and then select Advanced and see if the "send all traffic" over the VPN is selected in Options (and as a test, select it), and post the settings you see under VPN on Demand (if any), TCP/IP, DNS and if you have anything checked under the Proxies setting.

     

    On reviewing the thread, I don't see which VPN protocol has been selected here, nor details on the VPN itself.  I would tend to expect L2TP or PPTP would be selected here, though there are other options.

     

    What I meant by "local network" is that the VPN allocates local IP addresses when devices log into the VPN service (10.0.x.x). There is no DHCP allocating these addresses, just VPN.

     

    There is no DHCP involved, and no private addresses with the typical client-to-host VPN configuration; that does not involve private IP addresses.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.