User profile for user: robin24
robin24 Author
User level: Level 1
0 points

DNS setup question

Hi all,

I am running Mac OS 10.7.1 Server in my local network. Currently, I have this server set as my primary DNS server. Currently, I have one primary zone set up here, named robin-kipp.net. This contains an A record named server.robin-kipp.net, which resolves to the IP address of the server within the network (192.168.178.48). Also, a Mail Exchanger with a priority of 10 has been set up. Now, this works without any problems within my local network, as the server is configured as the DNS server on all clients. Therefore, when I am on a client connected to my local network and ping server.robin-kipp.net, I get answers from the correct IP address.

Now, of course, this doesn't work across the web, but as I'm the registered owner of robin-kipp.net, I'd like to change that so that the hostname will resolve to the correct IP even throughout the web. So, here's my question: how do I best do this? My domain registrar (unitednic.com) allows me to specify a primary and secondary name server to which requests are routed. However, I guess it won't just be enough to enter my server's public IP here, right? What steps do I need to take so the hostnames I specify in the server's DNS settings will resolve throughout the internet?

The server is, of course, connected to the internet using a stable connection with a static public IP address.

Thanks for any help here!

Robin

Posted on Aug 22, 2011 4:54 PM

Reply
8 replies
User profile for user: Jonathan Melville
Jonathan Melville
User level: Level 2
450 points

Aug 22, 2011 6:58 PM in response to robin24

What your talking about doing is called Split DNS, and it's very common. I have set up a split DNS for the company I work for.


You sound like you pretty much have it too. Your ISP should have some type of interface to edit your DNS Zone File. GoDaddy's is just called "Zone File Editor". The first thing you will do is point your domain name "robin-kipp.net" to the public WAN IP of your server. Since the hostname of your server is "server.robin-kipp.net", you could also create a CNAME record called "server.robin-kipp.net".


Good luck!

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Aug 23, 2011 3:20 AM in response to robin24

As Jonathan Melville said, what you are loking for is a Split DNS configuration. However things are a little bit more complex than just dealing with the DNS issue.


Hosts on your LAN will not be accessible directly from the web, therefore if you either don't have a block of static IP addresses assigned to you, and/or need to make accessible more than one computer life will be more difficult. However from your post it seems you only need to make available just one host that being your Mac server.


You don't say whether your public IP address is static or not, normally to do this sort of thing you need it to be static but home broadband style connections often don't include a static IP address. There is a way round this which I will cover later.


Firstly lets assume the following


You only need to make accessible the single server

You have a static IP address (even if it is assigned to your router)


What you would do in this case, is get an external party, either your ISP or your domain name registrar to 'host' the your domain. It does not matter if you are using the same domain internally. They would then define records like server.robin-kipp.net to point to your static IP address (even if that is your router). They would also define an MX record, and you might want to add aliases to server.robin-kipp.net of mail.robin-kipp.net assuming you are intending to run your own mail server. If you are also intending to run your own web server you would also ideally deifne an alias of www.robin-kipp.net


You would then configure your router to map TCP/IP ports for IMAP, SMTP, HTTP, etc. to point to your internal LAN address for your server. Then when someone on the web tries to access your server the DNS lookup will point them to your router which will forward the traffic to your server.


If you do need to provide additional access for example to allow people to access your server as a file server then you should do this by setting up the VPN server. Remote users would then connect to the VPN server (via an encrypted connection) and then would be able via the VPN server be able to access the file server or other machines on your LAN. To do this you would need a router which supports VPN pass through, many do.



Moving on to the second scenario of not having a static IP address. What you need to do here is sign up to a dynamic DNS service. I have used DynDNS.org with this you run a small piece of software which keeps DynDNS informed each time your WAN address changes. You would subscribe to DynDNS and they would dynamically update e.g. server.robin-kipp.net to always point to your current WAN IP address.

Reply
User profile for user: Twintails
Twintails
User level: Level 1
4 points

Aug 23, 2011 7:52 AM in response to robin24

there are a few steps to follow.


Your DHCP Server needs to point to your DNS Servers internally

(obviously you have manually coded your clients to contact the internal server already so it's your choice)

if you want to have the other DHCP client call on your internal DNS it would be best to have it setup on DHCP for iDevices and what-nots. You really should have TWO Internal DNS Servers with the same zone files located in:


/var/named


your Internal DNS Servers serv.you.net and serv2.you.net need to have a "forwarder" setup in Server Admin DNS Settings


Your Forwarder is usually an external world accessible DNS (Generally your ISP's 2 DNS Servers they supply you) The Forwarder handles DNS for stuff you don't have hosted on your Server (which is the rest of the world)


Next you need either a Static IP from your ISP or a service line dyndns.com to update your IP if it changes.


Personally I pay my ISP for the Static IP but if my AirPort Goes out I have to power cycle my modem on a new device, get a new IP and set it up on my DynDNS Account.


For MAIL:


you need to get your ISP to make an rDNS (Reverse DNS) record in their DNS Servers. (This Should Be a part of paying for the Static IP) it neeeeeeeeds to be mail.you.net or Spam and Blacklists will have a hard time believing you are who you say you are.




If you set it up right: your internal clients call to your DHCP Supplied DNS Servers (192.168.178.48) and (192.168.178.49) perhaps. then the two of them hand off anything they dont know to the forwarder (UR.ISP.DNS.SRV).


as well, your firewall/router whatever, needs to be able to send the correct ports to the internal mail server.


POP/IMAP/SMTP (i prefer to only use SSL, but that means buying an SSL Cert for your server too)

Reply
User profile for user: Twintails
Twintails
User level: Level 1
4 points

Aug 23, 2011 9:48 AM in response to Jonathan Melville

what I found, is if you setup your DNS Servers in you DHCP Server (router) and only have one DNS Server internally, (like on the AirPort) your DNS resolvs will not always be handed to your internal server first, they tend to go to the Main NIC for the router, which would be the ISP Side and use the ISP DNS. Bypassing all the hard work of having internal DNS Servers.


This being said, Yes I recommend your Router (DHCP Server) have your Internal DNS coded to it, but you still need to tell your Internal DNS Server to Forward Requests it is not responsible for out to the ISP DNS.


But for proper functionality there really should be 2 Internal DNS Servers. (not required, just better)


If you are using an AirPort as your Router/DHCP Server, then you can't easily get around not having the second internal DNS Server, because of the way Apple setup the Internet seting pane on the AirPort, it has a tendancy to pull in the ISP DNS into the second Server, and then use it instead of your internal because it is using it's main NIC first.


Acronyms Abound!!!

Reply
User profile for user: robin24
robin24 Author
User level: Level 1
0 points

Aug 23, 2011 10:21 AM in response to Twintails

Thanks so much to all of you for your very helpful answers!

as for the DHCP in my internal network, I think this shouldn't be much of a problem. I have a Fortinet FortiGate 50B firewall setup that routes all my network traffic. The device also acts as the DHCP inside my network, and supplies clients with the IP of my server for the DNS. As the secondary DNS, I still have the IP of my firewall (which is also the router) in there. However, this shouldn't be much of an issue, as the device also brings its own, configurable DNS server. In that, I've also configured server.robin-kipp.net to resolve to 192.168.178.48, so no matter which of the 2 DNS servers actually handles the connection, it should always resolve back to my server's internal IP.

As for my public IP address, what I get is what I could probably call semi-static. When I connect to the internet, my ISP (Swisscom) assigns an IP with a long lease time to my router, so the IP shouldn't expire for a long time theoretically. However, I do like the idea of using DynDNS for the DNS service and dynamically updating the IP in the event that it should change. So, assuming I'd like to setup a test configuration before actually changing the settings of my domain, would the following setup be correct?


1. Setup a free DynDNS account with a test domain (e.g. server.dyndns.org)

2. Configure the server's hostname to be server.dyndns.org.

3. Setup the Dyndns.org zone in the server's DNS and adding an A record for server.dyndns.org

4. Configure the DynDNS hostname to resolve to my IP address and to create an MX Record for incoming Mail

5. Map all ports for the appropriate services to the server's internal IP.


Would this be a functional (test) setup? Later on, I could then migrate my robin-kipp.net domain to DynDNS and have them manage the DNS records for it, but before I take this step, I'd like to have a sort of testing environment to verify everything's working and stable. Also, I'm not worried about outgoing Mail too much, as I will setup the Mail server to relay that traffic using an external provider for that purpose. I don't think I'd be able to get managed DNS preferences or a truly static IP from Swisscom, as I am not a registered business customer. If I wanted to have all this, I'd first have to cancel my current internet and phone contract and then make a new one, which would require me to legitimate the fact that I'm an enterprise (which I am not). Because of this, and as I'm not gonna be living here for much longer, I guess such an effort would probably not be justified given the alternative options that are present.

Thanks once again for all your help and suggestions!

Robin

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Aug 25, 2011 6:10 AM in response to robin24

Yes it looks right, however I have not checked in detail whether DynDNS will only offer an MX record on full blown domains rather than what is effectively a sub-domain of theirs. If you use a sub-domain you will probably have to add the equivalent to your internal DNS server so that your internal mail server recognises it. You can have multiple domains on a server.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

DNS setup question

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up