DNS not resolving on the server - resolves fine on the LAN

Question

Level 1

119 points

DNS not resolving on the server - resolves fine on the LAN

Hello all - I just had an odd experience and I thought I'd share it, hopefully gathering some comments.

I performed a fresh install of Tiger Server on my PowerMac last night, with the intention of testing the installer's ability to set up services, particularly Open Directory.

I enabled DNS, AFP, and Open Directory in the installer (first boot after install). The server configured itself and when I logged into admin for the first time I went to Server Admin, where I found DNS, AFP, and Open Directory running. This suprised me as Open Directory was always a bear to get Kerberos running correctly, and here I found Kerberos was running even though there were no entries in DNS.

I went about configuring the rest of my services, DHCP, NAT, Firewall, and so on. When I finally open Workgroup Manager to add some OD users, I find I cannot create home folders. I head to Terminal where I find this:

server:/ admin$ host 10.1.1.1
Host 1.1.1.10.in-addr.arpa not found: 3(NXDOMAIN)
server:/ admin$ host server.ishcabittle.private
Host server.ishcabittle.private not found: 3(NXDOMAIN)

The server cannot see itself for some reason. I had set up a nameserver, server.ishcabittle.private residing on the router address of 10.1.1.1 in my local subnet. I made sure that the DNS server 10.1.1.1 was listed on my subnet's ethernet interface, Built-in Ethernet.

host -v 10.1.1.1 returns the same, only listing a Comcast server for some reason. My guess is that setting up DNS during install hard wired the comcast DNS server as the permanent nameserver. I've edited /etc/hosts to include 10.1.1.1 server.ishcabittle.private, I've edited hostconfig to include HOST=server.ishcabittle.private (although I've read that 10.4.6-7 doesn't need this entry, it was the only thing that got Kerberos running on my previous install). Not sure what else to do.

Is there a permanent DNS record established during install? If so, where can I find this config file? None of these contain what I'm looking for:

/private/etc/.hostconfig.swp
/private/etc/hostconfig
/private/etc/hostconfig.personal
/private/etc/hosts
/private/etc/hosts.equiv
/private/etc/hosts.lpd

I'm pretty much going to reinstall anyway, I'll most likey do so without the cable modem plugged in.

PM G4 533MHz; iBook G4 1.33MHz; Powerbook G4 Titanium 867MHz, Mac OS X (10.4.7)

Posted on Sep 14, 2006 9:34 PM

Reply

Answer 1

Ed Morris Author

Level 1

119 points

Sep 14, 2006 9:40 PM in response to Ed Morris

Resolves fine on the LAN is actually when pointed to the server only. My iBook sees the server just fine:

Trying "1.1.1.10.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38759
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;1.1.1.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:
1.1.1.10.in-addr.arpa. 86400 IN PTR server.ishcabittle.private.

;; AUTHORITY SECTION:
1.1.10.in-addr.arpa. 86400 IN NS server.ishcabittle.private.

;; ADDITIONAL SECTION:
server.ishcabittle.private. 86400 IN A 10.1.1.1

Received 111 bytes from 10.1.1.1#53 in 14 ms

So the nameserver should be functioning correctly, right? When I look up another computer on the network:

Trying "5.1.1.10.in-addr.arpa"
Host 5.1.1.10.in-addr.arpa not found: 3(NXDOMAIN)
Received 120 bytes from 10.1.1.1#53 in 4 ms

Local addresses are not resolving when using the server. Interestingly enough, external addresses resolve fine:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8053
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 9, ADDITIONAL: 4

;; QUESTION SECTION:
;www.apple.com. IN A

;; ANSWER SECTION:
www.apple.com. 1484 IN CNAME www.apple.com.akadns.net.
www.apple.com.akadns.net. 60 IN A 17.254.0.91
(cut for brevity)

Reply

Answer 2

Sep 14, 2006 9:47 PM in response to Ed Morris

It might have to do with what interface is the "main" (Internet) one.

What does

changeip -checkhostname

say?

Reply

Answer 3

Ed Morris Author

Level 1

119 points

Sep 15, 2006 12:11 AM in response to Leif Carlsson

Built in ethernet is the internal interface, PCI Ethernet is external.

changeip -checkhostname displays this, even run with sudo:

Use - for node path to update the local node only,
eg. changeip - 11.0.1.10 11.0.1.12

/usr/sbin/changeip must be run as root

Do I need to reboot into single user mode for this?

One thing I did notice was the priority of the NICs either broke for fixed the internet and DNS. With Built In Ethernet first, "host" finds the server right where it should be, 10.1.1.1 = server.ishcabittle.private, but no internet access for anyone on the LAN nor the server. With PCI Ethernet first, DNS no longer resolved the server's IP address on the LAN but everyone on the network got internet access.

Reply

Answer 4

Sep 15, 2006 4:17 AM in response to Ed Morris

You have Panther server?

The changeip -checkhostname only works in Tiger.

You have the server own IP (or 127.0.0.1) as the DNS in Network config?

hostname <enter> gives?

hostname -v 127.0.0.1 gives?
hostname -v localhost gives?

Reply

Answer 5

Ed Morris Author

Level 1

119 points

Sep 15, 2006 12:18 PM in response to Leif Carlsson

Running Tiger Server, and changeip -checkhostname still asks to be run as root.

I have the server's own IP as the DNS server in Network config.

Hostname gives:
server.ishcabittle.private

hostname -v 127.0.0.1 gives me an error, illegal option:

server:~ admin$ sudo hostname -v localhost
hostname: illegal option -- v
server:~ admin$ sudo hostname -v 127.0.0.1
hostname: illegal option -- v

When attempting sudo hostname -s 127.0.0.1, no information is returned, but then hostname <enter> gives: 127.0.0.1.

Is there a way to keep the priority of your interfaces where you need it for DNS but still get internet access?

Reply

Answer 6

Sep 15, 2006 11:16 PM in response to Ed Morris

Ahem, sorry it should be only host -v (must have been tired).

To become root you can enter:

sudo su

or just

su root

if root is enabled (like it is on OS X server).

Reply

Answer 7

matchan

Level 1

0 points

Oct 17, 2006 7:16 PM in response to Leif Carlsson

Hi, I'm having a similar problem - on my MacPro I have two ethernet ports, one for the WAN, the other for the LAN, and DNS is only resolving for the LAN port.

I would like to get OD and VPN working, which I believe means my LAN port must be en0 - the primary interface (please confirm). But this makes the secondary interface (en1) be the WAN, and for some reason if the WAN is the secondary interface, I cannot connect to the internet.

Is anyone aware of a working setup where a single MacPro with two ethernet ports is able to function with DNS, DHCP, OD, VPN, FW, and NAT without using a router? (i.e. static IP is plugged directly into one of the ports)

I've been banging my head on this setup for days now so would appreciate any kind of advice.

Thank you!

macpro Mac OS X (10.4.8)

Reply

Answer 8

Oct 18, 2006 12:02 AM in response to matchan

We have done what you ask for several times so of course it works, that you have an Intel Mac doesn't matter (only makes it go faster).

It doesn't make any difference what interface you use as long as you make the Internet one the top one of the list in Network config (drag it - where you can add interfaces).

I never used the Gateway Assisstant but if you have, it should have taken care of things like this and that the router field in Network config on the LAN interface should either be empty or have the same IP as the interface.

For NAT to work the firewall needs to be running (and you server becomes a/the router with NAT and ipforwarding on).

If running your own DNS, use only that IP in both server and clients (DHCP) DNS config. Using your ISP DNSes as forwarders in /etc/named.conf usually speeds up lookups and turning off IPv6 helps too.

Turn on logging of denied packets in the firewall so you can see what packets are denied.

I had problems doing DNS lookups from LAN with server "preset" firewall rules, using the server DNS worked fine. To make those lookups work I had to allow returning UDP packets from port 53 to any to the private LAN IP range through.

Depending on what you want a simple firewall rule allowing everything (allow ip) from LAN->WAN with a keep-state at the ends creates temporary rules when necessary. You might have to enter this in the advanced settings.

I would prevent mDNS/Bonjour and Netbios(if using Samba) out via the Internet interface. Samba can be made to only work on the internal interface with a statement in /etc/smb.conf but Bonjour need firewall rules (or to be turned off? - not possible in Tiger Directory Access though - maybe by using Lingon).

For VPN allow also ESP and/or GRE in the firewall. ESP for when the client have a public IP and GRE for PPTP.

Reply

Answer 9

matchan

Level 1

0 points

Oct 18, 2006 12:40 AM in response to Leif Carlsson

Thanks Leif. I managed to get most things working as you'd expect, except that I am uncertain about the setup when it comes to Open Directory. The DNS I setup on my server maps the WAN IP to the server name, so OD ends up on the WAN IP. Is this not a security concern?

I have DHCP working for the LAN side on the secondary ethernet port, which means all of my clients are on a different subnet from the OD. Also, my DNS is setup on the WAN IP and not the LAN IP, so there is no DNS to nicely set names to IPs for the LAN side. I did try setting up another zone for the LAN side, but then I received some sort of mis-match error (can't recall if it was from OD or changeip or what) - something about the machine handling two different IPs each with a unique name.

At one point I had shared folders working (broken now, ugh) and an account under Workgroup Manager showed this under Account Summary:

Location: WAN-IP/LDAPv3/127.0.0.1
Home: afp://LAN-IP/Users/username

Maybe this is nothing unusual, but I am new to this so apologies if this is obvious. I was under the impression DNS, DHCP, and OD should be running only on the LAN side, but I have not been able to do this because OD must run on the primary interface (which connects to the WAN). It just seems a bit odd to me that I would be running a DNS on a WAN IP when all I really need is a DNS for the LAN side ... is this just a limitation caused by the primary interface needing to be the WAN interface and the OD IP?

Would kindly appreciate a clarification on this.

Thank you!

Update: the following post is very similar to my question, but remained unresolved:

http://lists.apple.com/archives/Macos-x-server/2006/Mar/msg01463.html

In my situation, I would like VPN to work as well, which seems to require OD on the primary interface as well - again, which places my LAN clients on a different subnet from the OD...

Reply

Answer 10

Oct 18, 2006 1:42 AM in response to matchan

"which means all of my clients are on a different subnet from the OD"

This shouldn't matter if you use the same domainname for "both" (DHCP LDAP setting).

When running a service in the server with dual interfaces, that service is usually present on both interfaces/IPs, if you haven't blocked it with the firewall. Also when both interfaces are in the same machine, there should be very little "overhead" for the server services since no "real" routing should be involved. Try a portscan on the internal interface to see what services are running.

(I try to keep the firewall config as simple as possible by not blocking traffic from LAN->WAN.)

The "problem" with having your own DNS, with a public IP, is if you use it to resolve your public domainname for your public services too. You don't want it to also resolve to internal IPs for internal names when requested from Internet IPs. This can be fixed by using BIND views.

If your DNS isn't responsible for hosting your "real" public domainname, there's usually no problem. You can also block requests to your ("internal") DNS from Internet using the firewall.

I have sometimes been using the same domainname internally as on Internet having to put the public IPs (manually duplicating them from the public server maybe hosted elswshere) in with the private ones in the same internal server DNS config. Maybe not "neat" but works. You'll get dual reverse zone files one for the internal private network and one for the public IP reverse records.

When connecting to the VPN you use the public IP as the gateway (tunnel endpoint) to your private LAN and then use only internal IPs to get at the services on the LAN (for both LAN and VPN use) - including the ones in the server (the server's LAN interface IP). This is why using only private IPs (or setup a record/"alias" for the internal interface IP and use that) in the DNS (should work) might be a good idéa.

Reply