DNS, Open Directory, and wow my head hurts
OK, I’m slowly pulling my ear hairs out over this. My comprehension of the DNS world is modest at best (I know enough to get into trouble). I did not set up most of this (not the DNS parts anyway), and I’m trying to unravel what exactly is going on. Maybe it’s exactly as it should be; but it seems awfully convoluted to me, so if you’re bored and want to show off your expertise and ability to explain it to a kindergartener, please read on…
Let’s say my Domain is mydomain.com. (You can probably figure out what it really is, but I’d rather not sprinkle a post with it.)
Our firewall is a Sophos UT320. It obviously supports forwarding of DNS info from our ISP. While it’s own documentation says it does not have a full-fledged dns server, it does have something called “Static Entries” which seems to be a bare-bones dns server of sorts. I can set any static domain name (myserver.mydomain.com for example), point it to a server on our lan, and everyone internally can get to that server by using myserver.mydomain.com instead of 192.168.blah.blah. It also supports reverse DNS, so if I issue a host 192.168.blah.blah command from my computer, I get “blah.blah.168.192.in-addr.arpa domain name pointer myserver.mydomain.com.” My guess is that it’s only serving up A records. No one from outside our LAN can access these servers or records (unless they’re on a VPN of course).
Now, in our lan, we have a bunch of Mac Servers. Our Open Directory server has DNS service enabled on it, and the primary zone is set to od.mydomain.com. It has some A records pointing to myserver.mydomain.com, myotherserver.mydomain.com, etc.
Another server, located at, myserver.mydomain.com, has a DNS service who’s primary zone is mydomain.com (yes, it matches our external domain name). It contains A records for itself, the OD Server, and others.
Reverse lookup works fine throughout the lan.
All DNS Servers’ Forwarders are our router.
I did a test where I turned off all these internal DNS servers (yes, there’s more) and pointed all the servers to the router. It seemed fine at first, I could issue HOST commands to and from every server to every other one and resolve both names and addresses. The router seemed to be doing fine.
After a day or so (I assume after the TTL elapsed), people started getting permissions errors on the servers, so I turned it all back on.
This is with 10.6.8 Servers (one is running 10.9 but it doesn't seem to have DNS running).
So here’s my questions:
Why would my OD Server’s DNS Service’s primary zone be “od.mydomain.com” and not just “mydomain.com”?
Does it make sense (or even matter) to have these DNS entries ending in mydomain.com when that’s our website’s address? (We host our own site and email server, btw.)
Why would OD not work after all these DNS Servers were turned off, when HOST command shows it can get to every other machine and they can get to it? What else, besides the A record and reverse lookup, could be included in the full-blown DNS servers that wouldn’t be in the Sophos bare-bones one, but still allow reverse lookups to function? What else does OD want from DNS??
Wouldn’t it be better, even if this all was necessary, to set up a single internal DNS Server (ok, maybe plus a backup)? Why would this service be running, with a variety of A records, on almost every server we have?
Is there a site that can explain DNS, and actually define every acronym, abbreviation, etc it uses? Every time I try to learn something I go down a wiki rabbit hole.
Thanks!
Jeff