Can't delete primary zone in DNS after moving the server

Question

Level 1

6 points

Can't delete primary zone in DNS after moving the server

Woe is me!

Our MacMini was hosted at a Colo site and working fine. No firewall in front of the machine, so we turned on the server firewall and only allowed mail, web, ftp, and a couple of other services. This worked great using our external public DNS wired to our domain names and public fixed IP address. Later, we got VPN up a running (the trick was to create a second, local IP address for the ethernet port), but this also required us to turn on the server's DNS to create a split-brained DNS server.

Everything was working swimmingly... and then we had a hard drive crash. Since we were thinking about moving the server onsite anyway (our POS system was accessed through the VPN, but it could be slow and made our tasting room dependent on Internet access in order to run the POS), we ordered Comcast business class internet with a fixed IP address.

We updated the external public DNS to the new public fixed ip. Rather than plug the mini directly to the Comcast router (which is in pass-through mode), we elected to put a AirPort Extreme in front of it, mainly so we could get all of the POS computers on the same local network without using the mini as a DHCP/NAT router. We created a DHCP reservation on the Extreme so that the mini had a fixed local IP address. We port forwarded everything we wanted to expose to the Internet. Email started to work again. However, web services and VPN are nada.

This being Snow Leopard Server and having spent literally hours debugging DNS issues when we first got the server, I knew it wouldn't be straightforward. And it hasn't been. Even changing the IP address of the server has been a chore.

We ran "sudo changeip <old IP address> <new IP address>".

Then we ran "sudo changeip -checkhostname" and received:

"$ sudo changeip -checkhostname

Primary address = 10.0.8.2 <new static internal IP address>

Current HostName = <servername>.<domainname>.com

The DNS hostname is not available, please repair DNS and re-run this tool.

dirserv:success = "success""

Oh no, the black pit of death.

Even though I tried to modify the machine record in the local DNS to reflect the new internal static IP address, Nada.

So, looking back on my previous research from Mr Hoffman and others, I stopped the DNS service, and I deleted the primary zone and reverse lookups in order to rebuild them from scratch. Except that no matter what I do, I can't delete the primary zone - it comes back like Dracula (even though the reverse zone and all of the zone records are gone). I tried rebuilding everything using the undeletable zone, but after a few services (saved each one separately), they would suddenly disappear.

I am leery of messing with the DNS files on the server as I don't want to hose up Server Admin (my command line skills are rudimentary and slow). I have so much installed on the machine now that I am concerned about someone saying "reinstall".

Help!

Related to this is that it is not clear to me in web services which IP address you should use for the sites. The internal IP? The public IP? I thought Apache cared about the external IP address. And I think Apache is hosed at the moment due to my DNS troubles anyway.

Thanks in advance!

MacBook Pro, Mac Mini with Snow Leopard Server, Mac OS X (10.6.6), HP C4280 Printer

Posted on Nov 7, 2011 2:48 PM

Reply

Answer 1

MrHoffman

Level 10

146,407 points

Nov 7, 2011 5:23 PM in response to Morris Zwick

Yeah; I've seen this Zombie Zone "fun" a few times.

Caveat: Backup your disk before you try the following wild and crazy stunt.

First, shut off the DNS Server, then exit Server Admin, rename your Server Admin plist, and try nuking and paving the zone again.

Here's the Terminal.app command to rename the plist:

cd ~/Library/Preferences

mv com.apple.ServerAdmin.plist com.apple.ServerAdmin.plist_save

Most definitely get yourself a firewall, as that'll ease the configuration and the IP routing, and it'll help you isolate your server management from your firewall management. The firewall here is not a panacea, but it'll keep some of the junk that's flying around off your server. And your firewall will have your external static IP address, and port forwarding, and your server will have an internal private static IP address. (This assuming you don't have enough public static IP addresses to avoid needing NAT entirely.)

You'll be setting up external DNS services for your external static IP with your ISP or whomever is providing your DNS. You'll also be setting up private DNS services, and this on your server. This is discussed in the DNS configuration article, and with the various trade-offs.

Reply

Answer 2

Morris Zwick Author

Level 1

6 points

Nov 7, 2011 5:51 PM in response to MrHoffman

I will try this "wild and crazy stunt" (always reassuring 😁) once my carbon copy clone backup is done this evening.

I am not a firewall expert by any stretch. However, we do want to serve up local addresses for wireless clients off the same public static IP address (and wireless to boot), and we want to keep the other machines on the same local network if we can for speed purposes. I get that the Extreme isn't a firewall...but do these firewall/VPN/magic devices also support wireless and wired DHCP/NAT? Or should I hang the Extreme off of the firewall and contemplate the dreaded double NAT of the Extreme handing out private IP addresses to all of the other computers in the building? Or, probably even worse, have the server act as a wireless DHCP/NAT router (which would still be double NAT)?

Reply

Answer 3

Morris Zwick Author

Level 1

6 points

Nov 8, 2011 3:41 AM in response to Morris Zwick

OK, I did some firewall study and understand the problem better. No need to respond.

Meanwhile, back at the ranch...

Renamed the plist file, but no joy: the zombie primary zone entry is still there and resistant to removal. I had also removed the zone and reverse zone files in /var/named (but not the stock stuff, just the ones associated with my zones).

Still scratching my head...

And does anyone know which IP you enter for your sites in the web service? The public static IP or the internal private static IP?

Reply

Answer 4

Nov 8, 2011 4:31 AM in response to Morris Zwick

Morris Zwick wrote:

And does anyone know which IP you enter for your sites in the web service? The public static IP or the internal private static IP?

For the external DNS server I am sure you have already deduced that it should be the static IP issued you by Comcast and this will be forwarded by your router to your server.

For your internal DNS server you could use either the internal LAN IP, or the external IP although the later might be affected by your firewall so this you will need to test.

For the Web Server service in Server admin, if your only running a single website you could avoid the issue by just using the wildcard entry which will respond to any IP address, so this would be an empty host name and an IP address of *

In fact you don't have to specify an IP address you could just use the hostname, so it will listen to traffic arriving at your server addressed to any IP address and as long as the URL that was requested includes the hostname you define for the site it will get responded to. So if as an example you have two websites you want to serve

www.example.com

site2.example.com

then as long as both have the IP address for the site as an * (asterisk) then both should work as separate sites for traffic addressed to either the LAN or WAN IP address of the server.

You will still need to use two IP addresses on the server to enable VPN, you could use a USB Ethernet adapter for the second one. Port forwarding for VPN is not as simple as other traffic as VPN requires traffic different to the standard IP and UDP packets. Routers that support 'VPN Passthrough' are specifically designed to accomodate this but I don't know if the AirPort Extreme does this. I have also found PPTP copes better with this sort of setup than L2TP although PPTP is generally regarded as less secure.

Reply

Answer 5

Morris Zwick Author

Level 1

6 points

Nov 8, 2011 8:03 AM in response to John Lockwood

I hadn't thought about using the wildcard/any IP address in the web service. Interestingly, if I fixed just a couple of the websites to use the internal static IP from the dropdown, nothing still worked. Once I fixed them ALL, it started working immediately. Apparently you cannot have even ONE incorrect IP address in the Web service for a site or it will prevent all web sites from working.

As far as your comment: "You will still need to use two IP addresses on the server to enable VPN, you could use a USB Ethernet adapter for the second one."

When our Mac was in a colo site with no local network behind it, I struggled mightily to make the VPN work. Then I figured it out!

The trick is to create a second entry for your ethernet port in the Network system preferences panel. You then assign that second port (mapped to the same physical ethernet port) an internal private IP address manually that maps to the same IP range of the VPN service. So for example, if you set up VPN to provide addresses from 10.0.1.2 to 10.0.1.200, you could set the address to be 10.0.1.1. Then, I created a split-brain DNS running locally that mirrored the public DNS, except using this static private IP address instead of the static public IP address running on the remote (public) DNS. Worked like a charm 🙂 Until, that is, I moved to a new IP address, which takes us back to...

Meanwhile, back to this thread, I have tried the plist trick for Server Admin, and I have deleted the primary zone record files in /var/named to no avail: the rogue primary zone is still a zombie in Server Admin and won't go away.

Reply