Newbie to Local DNS how to?

Question

Level 1

10 points

Newbie to Local DNS how to?

Hi,

The basic question is how to get our local DNS working?

I'm running OSX server Tiger 10.4.6 on a G4 with two Ethernetcards.
One for Wan (EN0) with these setting;
10.0.0.151
255.255.255.0
10.0.0.138
DNS-Servers
192.168.0.1 (our lan)
194.109.104.104 (our ISP DNS)
194.109.9.99 (our ISP DNS)
One for Internal LAN (EN1)with these settings
192.168.0.1
255.255.255.0
192.168.0.1
DNS-Servers
None, will be suplied via DHCP server in ServerAdmin

Our server is setup for Mail, FTP, DHCP, DNS, Firewall, Nat, AFP Windows.
Everything works fine, we get our mail, our files via FTP and we can connect to the internet. Except I can't get local DNS working !
I've read and tried already any suggestion posted here but I'm stucked.
The Server is setup as a standolane server.

DHCP setup; en1, startingadress 192.168.0.2 ending 192.168.0.255
Router 192.168.0.1 DNS Default domain; eps-amsterdam.nl Nameservers; 192.168.0.1 and 194.109.9.99 LDAP Server Name; 192.168.0.1 WINS Primary Server 192.168.0.1 NBT Node; broadcast (b-node)

DNS setup; General; marked Zonetransfer and Recusion,
Zones; Name: eps-amsterdam.nl, Primary Name Server: osxservereps, Primary Name Server Adress: 192.168.0.1
Machines;
Name: osxservereps Primary Adress: 192.168.0.1
Name: osxservereps Primary Adress: 10.0.0.151 and some printers with static IP-Adresses

Firewall setup; 10-net allow: 21, 113, 625, 3283, 5900,
192.168.0-net alow all trafic
Advanced; default settings after installation

Nat; IP Forwarding and NAT

I've edit the hostconfig file with
HOSTNAME=osxservereps.eps-amsterdam.nl
I've done the sudo hostname osxservereps.eps-amsterdam.nl
I've used the changeip /LDAPv3/127.0.0.1 etc.

My named.conf;
osxservereps:/etc edvandermeer$ cat named.conf
//
// Include keys file
//
include "/etc/rndc.key";
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.

//
// Default controls
//
controls {
inet 127.0.0.1 port 54 allow {any;} keys {
"rndc-key";
};

};
options {
directory "/var/named";
recursion true;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

};

//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "eps-amsterdam.nl" in {
file "eps-amsterdam.nl.zone";
type master;
};

zone "0.168.192.in-addr.arpa" IN {
file "db.192.168.0";
type master;
};

zone "0.0.10.in-addr.arpa" IN {
file "db.10.0.0";
type master;
};

logging {
category default {
defaultlog;
};

channel defaultlog {
file "/Library/Logs/named.log";
severity info;
print-time yes;
};
};

What am I doing wrong ???
Any suggestion is very welkom

Ed

G4, Mac OS X (10.4.6)

Posted on May 4, 2006 3:16 AM

Reply

Answer 1

May 4, 2006 12:50 PM in response to EdvanderMeer

It looks like you are using dual NAT - both interfaces use private IP addresses and you have NAT and firewall enabled in the server.

"One for Wan (EN0) with these setting;
10.0.0.151
255.255.255.0
10.0.0.138" this is a NAT router IP that's your GW/"router" to Internet?

For running your own Internal (?) DNS use only the servers own ("WAN") IP in Network config on the server and maybe forwarders (your ISP DNSes) in /etc/named.conf (turn IPv6 off).

If this is only an Internal DNS and you have no slaves (any other OS X machine with a static IP would do) you don't need zonetransfer enabled.

With a NAT router between your server and Internet you maybe don't need dual NAT and could either use only one interface or use "plain" routing in the server. The plain routing would need a static route in the Internet router pointing back to the 192.168-network with the server "WAN" IP as gw. You could still use the firewall if you like.

Reply

Answer 2

EdvanderMeer Author

Level 1

10 points

May 5, 2006 11:36 AM in response to Leif Carlsson

Tanks for the info. I'm not shure 'bout the dual NAT. I've got a Speedtouch DSL-Router with the 10.0.0.138 number and set it to no dhcp and Specify the NAPT default server address: 10.0.0.151. We need to have Internal DNS worked for some software that relies on it.
"For running your own Internal (?) DNS use only the servers own ("WAN") IP in Network config" What do you mean with this ? could you specify it a bit more?
This is the only internal DNS server so I'll try turning off zonetransfer. Would you be nice to give me examples with the settings in the networksetup interfaces? I mean I just want to do it right and it have done already a few new installs and so on.

With a NAT router between your server and Internet you maybe don't need dual NAT and could either use only one interface or use "plain" routing in the server. The plain routing would need a static route in the Internet router pointing back to the 192.168-network with the server "WAN" IP as gw. How would I use only one interface and serve DHCP and DNS internal ? Sorry for my bad English I'm from the Netherlands.

Reply

Answer 3

May 6, 2006 2:51 AM in response to EdvanderMeer

Use only the 10.0.0.151 interface/network, turn off NAT and firewall.

(Ideally change the network number from the Speedtouch default 10.0.0.0/? to something less "default" if you want to use VPN as other NAT routers might use the same. Check the netmask in the Speedtouch too, it might be 255.0.0.0, /8 or 255.255.0.0, /16 I don't remember from my own Speedtouch 510. Also, does your ISP use PPPoE for the connection? Then you might want to change the MTU on some machines so that Internet connection doesn't stall on large transfers)

Use 10.0.0.151 in Network config on the server for DNS (some say 127.0.0.1).

DNS and DHCP works fine with one interface.

Use the server IP as the only DNS in DHCP and all LAN clients with static IPs.

Fill in (search) domain in DHCP settings for Windows machine "compatibility".

Where to add forwarders to /etc/named.conf :
(speeds up Internet lookups and turn off IPv6 too)

------ snip ------

options {
directory "/var/named";
allow-transfer {none;};
recursion true;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

// ------ new text from here ------

forwarders {
<ISP DNS 1>;
<ISP DNS 2>;
<ISP DNS n>;
};
forward first;
// listen-on {127.0.0.1; <server ip>;}; this is not necessary

// ------ to here ------
};

//
// a caching only nameserver config

------ snip ------

You could as an alternative use the Speedtouch in bridge mode and the server with both interfaces as the Internet router with NAT and firewall enabled.

With your current setup you do NAT twice first in the Speedtouch and then in the server for machines on the server "most internal" LAN (192.168- network).

Reply

Answer 4

EdvanderMeer Author

Level 1

10 points

May 7, 2006 11:57 PM in response to Leif Carlsson

I still can't get it to work. If I try the differnt settings and turn of NAT in Serveradmin No one can get acces to the internet anymore. The forwaders in the named.conf are worrking o.k. as far as I don't get any errors in the DNS-log. So now I've set up The Speedtouch to be dhcp server and now my en0 gets the 10.0.0.150 adress automaticly with 10.0.0.138 as router. I haven't fill in the DNS nummers in the network setup for en0. In the serveradmin I get for 10.0.0.150 DNS name osxservereps.lan. I've changed the to HOSTNAME= osxservereps.lan and it seems to be O.K.
May 8 07:41:35 osxservereps bootpd[142]: interface en0: ip 10.0.0.150 mask 255.255.255.0
May 8 07:41:35 osxservereps bootpd[142]: interface en1: ip 192.168.0.1 mask 255.255.255.0
May 8 07:41:35 osxservereps bootpd[142]: server name osxservereps.lan
May 8 07:41:35 osxservereps configd[44]: AppleTalk startup complete
May 8 07:41:35 osxservereps servermgrd: servermgr_dns: Reloaded named
May 8 07:41:35 osxservereps servermgrd: servermgr_dns: hostname and DNS entries for this server are synchronized
May 8 07:41:37 osxservereps master[41]: ready for work

The other interface en1 I haven't changed. Now if I do a lookupd -d on a client machine for 192.168.0.1 I get full information back, both via Internet: and Name:.
But when I do a lookup for the client-machine with Internet: I get nil. and with Name: dico-g4.local I get this;

hostWithName: dico-g4.local

Dictionary: "DNS: host dico-g4.local"
lookup_DNSdomain: local
lookup_DNSserver: 192.168.0.14
lookup_DNS_time_tolive: 10
lookup_DNStimestamp: 1147071276
lookupagent: DNSAgent
lookup_infosystem: DNS
interface: 5
ip_address: 192.168.0.14
name: dico-g4.local
+ Category: host
+ Time to live: 43200
+ Age: 0 (expires in 43200 seconds)
+ Negative: No
+ Cache hits: 0
+ Retain count: 3
So I think I'm almost ready but maby need to finetune?

Reply

Answer 5

May 8, 2006 10:25 PM in response to EdvanderMeer

Did you check the SpeedTouch netmask? It must (really should) match what you use on server.

Don't use DHCP for server interfaces. Set static IPs. Do you have any other machines on 10.- network?

Without NAT you need a static route in the SpeedTouch router (is it capable of that?) pointing back to 192.168.0.0/24 with server IP as gw/router (but why route at all ??? Change Speedtouch to match 192.168-network instead?).

What network interface you put DNS info in doesn't matter but use only router 10.0.0.138 on 10.0.0.151 interface and keep the other 192.168.0.1 router field empty.

Reply

Answer 6

EdvanderMeer Author

Level 1

10 points

May 9, 2006 4:47 AM in response to EdvanderMeer

I'm not shure 'bout what you just tel me? Setup:

Internet>>Speedtouch with Interface PPPoA_1 IP Addresses/Netmasks 80.126.96.57/32 Primary DNS 194.109.104.104 Secondary DNS 194.109.6.66 no DHCP and Default NAT Server 10.0.0.151>>OSX-Server en0, with 10.0.0.151, Router 10.0.0.138 DNS field is empty, this interface is defined as NAT interface in ServerAdmin. So there are no other computers directly connected with the Speedtouch. As OSX Server is used as the GW to the internet.

And when I change the en0 interface to static IP (10.0.0.151) I get an .....no DNS entry for server, various services may not function properly...

en1 192.168.0.1 is connected on a ethernethub with all our internal computers and printers. So all traffic internal takes place here. The only problem still is that lookups on local machines don't work. Everything else works just fine.

I tried to set up the Speedtouch in Bridge-mode as you mensioned but than I don't know how to setup my en0 interface. Hope you don't mind if I'm asking to much. To be contineud.

Reply

Answer 7

May 9, 2006 5:22 AM in response to EdvanderMeer

"Speedtouch with Interface PPPoA_1"

OK since it uses PPPoA (MTU 1492 ???) you might be better off keeping your server as the gw but set the 10.0.0.151 interface to use MTU 1492.

BUT, if you can't add a static route in the SpeedTouch, you need NAT and the firewall in OS X Server "up and running".

For a ADSL modem/router in bridge mode you use the server WAN ethernet interface for PPPoE (ppp0 interface created when connected using PPPoE as the NAT interface in NAT config - need to "hack"/modify the NAT config for that - easily done though).

"And when I change the en0 interface to static IP (10.0.0.151) I get an .....no DNS entry for server, various services may not function properly... "

OK you must have changed your DNS settings on the server to say 10.0.0.150 instead of 10.0.0.151.

What ports/protocols can you portforward in the SpeedTouch?

Reply

Answer 8

EdvanderMeer Author

Level 1

10 points

May 9, 2006 6:43 AM in response to Leif Carlsson

Is this all concerning local DNS? O.K. I've set MTU to 1492 and have edit the hosts-file and add 10.0.0.150 name-of-hostname and now the "And when I change the en0 interface to static IP (10.0.0.151) I get an .....no DNS entry for server, various services may not function properly... " has gone.

I can change or add IP-Adress tables and I can edit the IP-Routing Table, I can create Single NAPT-Entreis with TCP or UDP, inside IP outside IP, Multi-NAPT-Entreis PPPoA or etho and setup Default NAPT-Server This is how it looks like;
IP address table
Inf, Address/Netmask, Type, Translation

PPPoA_1, 80.126.96.57/32, Auto, napt
eth0, 169.254.141.11/16, Auto, none
eth0, 10.0.0.138/24, User, none
loop, 127.0.0.1/8, Auto, none

IP route table
Destination, Label, Gateway, Intf, Metric

default, from10.0.0.150/32, 80.126.96.57, PPPoA_1, 0
195.190.250.157/32, -, 80.126.96.57, PPPoA_1, 0
80.126.96.57/32, -, 80.126.96.57, PPPoA_1, 0
169.254.141.11/32, -, 169.254.141.11, eth0, 0
255.255.255.255/32, -, 10.0.0.138, eth0, 0,
10.0.0.138/32, -, 10.0.0.138, eth0, 0
127.0.0.1/32, -, 127.0.0.1, loop, 0
10.0.0.0/24, -, 10.0.0.138, eth0, 0
169.254.0.0/16, -, 169.254.141.11, eth0, 0
224.0.0.0/4, -, 10.0.0.138*, eth0, 0
default, -, 80.126.96.57, PPPoA_1,1

So I'm not shure where to ..add a static route in the SpeedTouch....

And let's say I get the speedtouch in Bridge-mode, how do I setup TCP/IP after I've entered the info in the PPPoE-tab and how do I modify the NAT config? Is it not confusing to you?

Reply

Answer 9

May 9, 2006 9:58 AM in response to EdvanderMeer

"Is it not confusing to you?"

I get confused all the time when too much new stuff "comes along" at one time.

But if you learn bit by bit, slowly building up your total knowledge of networking you hopfully won't be overwhelmed when the next new thing arrives that you've to learn/fix/solve.

I try not to complicate things (too much) if I can choose myself.
The old "rule" K.I.S.S. (Keep It Simple Stupid) is rather good.

Maybe I have been confusing you, but there's often a whole lot of possible ways to solve networking problems when you have multiple devices with multiple capabilities.

The simplest solution to your present networking needs are probably what I think I did suggest to you earlier:
Drop the 10.0.0.0/24 network/interface on the server and use only the 192.168.0.0/24 interface.

The SpeedTouch has dual IP network settings for it's ethernet
Maybe you could change one to 192.168.0.254 (/32) and use that for gw to Internet?

If you still want to try using the server instead in NAT setup in OS X server
in the lower right corner there's a little symbol. Drag that to the desktop.
A file will be the result : NATxxx.plist (don't remember the name)
Open that file in a texteditor find en1 (when PPPoE is configured and "up" one the en0 and en1 is not present depending on what interface is used for WAN/Internet) and change that to ppp0 save and drag the file back on to the NAT window and save that setting.

Make sure PPPoE is connected then start NAT and the firewall.

The 192.168.0.1 will be the gw to Internet for LAN clients.

Reply

Answer 10

EdvanderMeer Author

Level 1

10 points

May 9, 2006 10:22 PM in response to Leif Carlsson

How can I drop one interface ? en0 is connected to the speedtouch only
en1 is connected to our internal network. If I drop one of them no one is connected either to the internet or to the server. I may be stupid. I have tried also your suggestion bout the NATconfig-file. It has the same effect ! no connection to internet of course since en0 is connected to the speedtouch.
I'm figuering out how to make the speedtouch transparant (Bridge-mode) if that is a better solution !? I'm getting allong whit that allready. Is it not just a firewall or BIND issue to get the local DNS worked properly?

Reply

Answer 11

May 10, 2006 1:05 AM in response to EdvanderMeer

Connect the modem/router to the LAN switch/hub instead of to the server interface when it's in router mode 😉

For the NAT "hack" you use the server as router and PPPoE connection instead of the modem/router which then is in modem/bridge mode (no NAT/routing - the modem ethernet IP number isn't used for the communication only for setup its's "transparent").

I had my SpeedTouch configured like that by default from my ISP (I didn't even know it had router cabability until much later).

The modem ethernet IP is only neccessary for changing/checking the configuration/connection ADSL speed up/downstream of the modem and firmware updates when in bridge mode.

Reply

Answer 12

EdvanderMeer Author

Level 1

10 points

May 10, 2006 1:53 AM in response to Leif Carlsson

Hi, there

I've changed the speedtouch with a sip-spoof setup so it now acts as a tranparant modem. In the en0 WAN interface setting is now my ISP-IP and again we everything workes like it shoot be accept for the resolving of internal names
Now when I add ccomputers as machines with static IP and name it seem to work but not via the DHCP-server. How's that?

Not getting crazy 'bout me?

Reply

Answer 13

May 10, 2006 3:23 AM in response to EdvanderMeer

What gw IP do you send out via DHCP (see to it that you only "seed" Internal LAN with DHCP - only en0?). Should be server LAN IP 192.168.0.1(?).

Are you sure you get DHCP info on LAN clients?
Could be firewall blocking DHCP requests from 0.0.0.0 IP on UDP port 67/68 (don't remember which is DHCP client).

Test what you get from DHCP on mac OSX client via (in Terminal): ipconfig getpacket en0

For Windows compatibility DHCP (search) domain field needs to be filled in.

In firewall settings turn on logging of denied packets and see to that the firewall allows returning DNS requests from UDP port 53 (usually no problem if you use internal DNS (with or without ISP DNS as forwarders) for LAN clients and the "preset" firewall rules for DNS).

Reply

Answer 14

EdvanderMeer Author

Level 1

10 points

May 10, 2006 4:22 AM in response to Leif Carlsson

First I wanna check if I have to set all preffs back to the state after Installing Serversoftware, like hosts-file and hostconfig-file and so on. Delete my own DNS-domain ......

In the Network Interface for LAN I only use 192.168.0.1 IP and 192.168.0.1 as router and the DNS field is empty. This info should I put in the Server Admin DHCP-Tab. In DHCP-Tab Default Domain eps-amsterdam.xs4all.nl, Name Servers 192.168.0.1, 194.109.104.104 and 194.109.6.66

This is from a client-machine;
op = BOOTREPLY
htype = 1
dp_flags = 0
hlen = 6
hops = 0
xid = 1442339672
secs = 0
ciaddr = 0.0.0.0
yiaddr = 192.168.0.14
siaddr = 192.168.0.1
giaddr = 0.0.0.0
chaddr = 0:a:95:ef:10:e6
sname = eps-amsterdam.xs4all.nl
file =
options:
Options count is 9
dhcp messagetype (uint8): ACK 0x5
server_identifier (ip): 192.168.0.1
lease_time (uint32): 0x14e20
subnet_mask (ip): 255.255.255.0
router (ip_mult): {192.168.0.1}
domain nameserver (ip_mult): {192.168.0.1, 194.109.104.104, 194.109.9.99}
domain_name (string): eps-amsterdam.xs4all.nl
ldap_url (string):
end (none):

I will turn on Logging of denied packets

Reply

Answer 15

May 10, 2006 4:55 AM in response to EdvanderMeer

"Name Servers 192.168.0.1, 194.109.104.104 and 194.109.6.66"

Use only 192.168.0.1 in DHCP and the 194.109.104.104 and 194.109.6.66 as forwarders in /etc/named.conf on server.

And use only 192.168.0.1 or 127.0.0.1 in Network config (one interface is sufficient) on server also (it should talk to it's own DNS).
(This might not be possible with PPPoE ??? or "force" this IP by adding it to you PPPoE interface DNS filed (you get an IP by DHCP from ISP or the <servername>.eps-amsterdam.xs4all.nl is registered with a static IP 80.126.96.57 / is public?)).

-------- snip ----------

// query-source address * port 53;

// ------ new stuff from here ------

forwarders {
194.109.104.104;
194.109.6.66;
};
forward first;
// listen-on {127.0.0.1; 192.168.0.1; }; <- not neccessary, // = remark

};

// ---------- to here ------------

//
// a caching only nameserver config

-------- snip ----------

And turn IPv6 off...

Getting DNS answers from 194.109.104.104 and 194.109.6.66 back to LAN users requires extra firewall rules.

Reply