access server within domain not working

Maybe you're ssl certs arent certified. You can buy one from a certification authority or be your own and use openssl and many other methods.

You see the internet wants to be safe so they want to make sure someone will never fake as your domain. This means certs must be used to show another device that you are who you say you are.

When you say "put in afp://server.mydomain.com" are you referring to using the Go - Connect to Server menu item in Finder - or are you trying to enter the afp://server.mydomain.com in some other location where it is expecting a hostname and not a URL? Basically - if nslookup is giving you the correct results - both forward and backward - then your DNS is probably working. I can give a better answer if I know exactly where you are trying to enter the server host name.

Also - on the client Mac - make sure that your 10.0.x.x server IP is listed as the first DNS server in Network settings on the client side as well (if your router isn't already automatically handing out 10.0.x.x as the first DNS server.

The default self-signed server certificates should work for all functionality - and I don't believe an AFP file share uses a certificate.

~Scott

Yes - you want to put the local OS X Server IP as the first server in the router's DHCP settings - so that every client will receive the correct list of DNS servers. In this case you would set the router's DHCP DNS settings to 10.0.x.x, 8.8.8.8 (don't worry about the Brazilian DNS server here). This will result in every client computer/device receiving the correct two DNS server IP addresses.

On the client computer(s) - you don't need to change anything - other than maybe they need to renew their DHCP leases or have them reboot.

On the network settings of the OS X Server Mac - make sure that you specify 127.0.0.1, 8.8.8.8 as the DNS. The OS X Server itself (will use its own loopback address). Theoretically you should just use 127.0.0.1 (and only have the local loopback here). You can try both ways.

In the DNS Setup screen of Server.app - for forwarding servers you can specify 8.8.8.8 and your (brazilian DNS). Keep in mind that forwarding servers are not required. See below how resolution works when one or more forwarders are specified>

With no forwarders: The OS X Server DNS server will look in its cache - if the cache does not return a result - OS X server will determine if it is authoritative for the requested domain - if so - it will get the answer locally. For any other domain - OS X Server will resolve the query by actually going to the root servers and will provide a response - which it will then cache. Depending on your typical DNS queries - it could be more efficient than using a forwarder.

With forwarders specified: The OS X Server DNS server will look in its cache - if the cache does not return a result - OS X server will determine if it is authoritative for the requested domain - if so - it will get the answer locally. For any other domain - OS X Server will consult the first forwarder to resolve the query. If the forwarder is responding - it will return a success or fail result. If first forwarder not responding - the second server will be consulted. Resolution stops when one of the servers provides a success or fail response.

The important thing to realize with the forwarders - is that "if forwarders are specified - only the forwarders are used to resolve external names - the local OS X Server DNS Server will not consult the root servers. If the forwarders aren't accessible or if they don't don't the answer - the query terminates.

My description of the resolution process may not be 100% correct - but the concept of what happens with forwarders was the point I was trying to make.

Basically - you should experiment by using forwarders and not using forwarders - to determine which is more efficient - it may not be immediately obvious.

One last thing: You should make sure that port 53 (the DNS port) is closed on your router. You don't want your private DNS server accessible to the public - as this can cause problems. (if you believe you have a need to open port 53 on your router - please explain the reasoning for doing so).

~Scott

I'd leave off all references to all DNS servers located off your NAT'd network — reference just your local DNS server(s) — in static IP configurations, as well as in DHCP configurations. The order of DNS servers used by DHCP clients is not deterministic, not particularly standardized, and the behavior and processing of a list of DNS servers acquired with a DHCP-provided IP address has changed across (among other platforms) OS X.

Problem is not solved and I Beltgarat I do not know you change the iPhone several times and his mis Followers Please edit the port and fix bugs me scared cause danger in the future

Give all the powers to amend the system please.😢

I work in a telecommunications company Is this causes me a problem. Please explain the problem and how to modify Is my observer from someone or a competent authority Can I amend the rules of how it works and what are the risks of service

The only widget on your network that should be contacting other DNS servers is your own DNS server(s). If other boxes are picking from the list of DNS servers, some may be be picking from the list of servers and getting a DNS server that won't resolve local DNS names.

Guest networks are somewhat more complex, I usually prefer to isolate those via physical switch or VLAN or DMZ, and in these configurations, vending only the addresses of public DNS servers or of a DNS resolver that might be available in your gateway box can be entirely appropriate. This unless you have local devices in the guest network, or want some way to refer to the gateway or other devices that guest might want or need to access; guest printers, for instance.

FWIW (and I don't know what you're using for the guest network), the Apple AirPort and Apple Time Capsule do not do work very well with a guest network when local servers are involved. Those devices — at least in all of the firmware versions I've checked — don't have any way to differentiate DNS services between guest and non-guest networks. I much prefer a slightly higher-end box as the gateway, in any case. (I haven't looked to see whether the OS X Server DHCP server can vend different DNS addresses, but I suspect it can. But you probably don't want to allow access to your server from the DNS server — as that tends to open up rather more access than just DHCP — and which then means using some other DHCP server that is accessible within the guest network.)

I'd probably park the guest network in another subnet of the 10.0.0.0/8 block, but that's personal preference. FWIW, 172.0.1.0/24 is a public IP block and (based on a quick look) assigned to sbcglobal.net, and is not a private IP address block. You were undoubtedly aiming for 172.16.0.0/16 here, which is a private address block.

My preference here is the ZyXEL ZYWALL USG series, which are comparatively inexpensive and quite capable and consistent, though the USG series are not "introductory" networking devices, and do expect the gateway administrator to have some familiarity with IP and subnets and routing, with VPNs, and with DMZs. (I have no financial links with ZyXEL here, beyond having purchased various products.)

khaled80024059, I do not understand your question or your concern, nor whether your question is related to OS X Server and its associated DNS server configurations. If you were seeking to ask a question or to raise a concern with DNS or with iPhone devices, I'd suggest starting your own topic here in the Apple discussion forums, and please consider providing some more background information and a longer description of the problem(s) or issue(s) you are encountering. Thanks!

-Pierre - Please be sure to read all of Mr. Hoffman's valuable advice. I am going to assume that you have a pretty small environment - with just a few users that actually require access to your OS X Server - and some number of "guest" users that require only access to the internet and nothing else. I'm also assuming that you have very few records in your OS X Server DNS (the required entries for the server itself and possibly for a few local devices). If this is not true - then my suggestions that follow may not be a suitable solution for your issue - but still you may want to consider them - at least as an interim solution.

First: The reason that you are having trouble with the guest network on your Airport router is due to the fact that Airport routers implement the guest network by using a different subnet (typically defaulting to 172.16.42.x/24) for the guest network. The Airport router does not provide any routing between the the two subnets - thus it is not possible for guests to access to 10.0.x.x/24 or vice-versa. The Airport router hands out the same two DNS server address to both the local 10.0.x.x/24 clients as well as guests. Thus - when you specify 10.0.x.x and 8.8.8.8 (regardless of the order) - all clients (including the guest network) receive these two addresses. The DNS resolver (in each client device) - expects that the two DNS server addresses that it receives from DHCP are going to be "logically" reachable (meaning that there is a route to each). The resolver on clients in the 10.0.x.x/24 subnet can reach both 10.0.x.x and 8.8.8.8 - but - the resolver on clients in the guest subnet (172.16.42.x/24) cannot "logically" reach the 10.0.x.x DNS server because it fails with a "no route to host" error - and does not attempt to try the 8.8.8.8 (which is reachable). Resolution "terminates" because one of the two DNS servers cannot logically be reached - even though the server is actually available - and thus there is no access to the internet from the guest network. For clients on the 10.0.x.x/24 subnet - external resolution would still succeed (even if the OS X DNS Server was shutdown) - because both servers are logically reachable - and since 10.0.x.x is down (it is considered as not responding or not available) and the resolver then attempts to query 8.8.8.8 - and clients on the 10.0.x.x/24 subnet would still get internet access to external websites/hosts. The guest network functionality in Airport devices really does NOT work well (or at all) when a local DNS server is involved - and the local DNS server IP is one of the two DNS Server IPs handed out to clients. The Airport router really needs to allow "guest" DNS servers to be specified - but currently that is not an option.

Quick Resolution - without having to change any of your hardware (at least not at this time):

1. On your Airport Router - set your DNS Servers to one of the following:

a. 8.8.8.8 / 8.8.4.4 (Google DNS)

b. 208.67.222.222 / 208.67.220.220

c. Leave the DNS Servers blank (the DNS servers from your ISP will be used - and should show up in a light grey font)

Note: you can enter your search domain here (for example: example.com) The search domain will be handed out to the guest network as well - but it will not really perform any function there - and should not cause any problems either.

The above settings will handout "reachable" DNS servers to every DHCP device on the local as well as the guest network but not provide any access to your local DNS server (this is addressed in the next step).

2. Override DNS server setting only on local client devices that require access to you OS X Server (Desktops, portables, handhelds, etc). This is feasible only in a small environment - but may be worth the effort to get your environment up and running while you determine how to implement a better solution. You do not need to do a manual override on devices such as NAS drives, printers, and other network devices that don't directly access your server.

For Macs: Open system preferences / network - for both Ethernet and Wifi (in the advanced settings) click the DNS tab. In the DNS servers list - remove any servers that are currently listed (the ones that are DHCP provided are grey and will disappear after you enter a manual ip address). Click the + (plus) sign to enter a new server - enter your 10.0.x.x DNS server - and only that server - no other DNS servers should be listed.

For iOS Devices: In the wifi settings connect to each wifi access point that will be used on the network and tap the arrow to the right of the network name. This will bring up the network settings. Tap on the DNS servers (it will be a common separated list of IP addresses - from DHCP) - enter your 10.0.x.x DNS server - and only that server - no other DNS servers should be listed.

For windows PC's and other non-apple devices - use the appropriate procedure for those devices to override the DNS settings and enter your 10.0.x.x DNS server.

Once all the devices needing server access have been overridden you will have accomplished the following:

1. All devices not requiring access to OS X Server - will have internet access - by default from DHCP - Guest network included. If OS X Server is down for maintenance - these devices will still have uninterrupted access to the Internet.

2. Any devices that do require access to OS X Server - will get their IP address and search domain via DHCP - but will use the overridden 10.0.x.x DNS server and will have access to the Internet and to OS X Server services. When OS X Server is down for maintenance - these devices will not have Internet access.

Next Step (for a better solution):

1. Set up profile manager on OS X Server.

2. Enroll the devices (Macs and iOS devices) that require a DNS override.

3. Set up a network profile that you can push to devices that will automatically or manually be pushed to these devices to override the DNS server settings to use OS X Server.

Other Alternatives (requires hardware changes).

Use a different router (ASUS RT-AC68U) - or one that has VLAN style Guest Network functionality (some routers provide multiple guest networks) and do not have the local DNS server conflict.

Attempt to use DHCP service on OS X Server. I don't recommend this if your environment is small. You want to user a built-in router DHCP server whenever possible.

Get an inexpensive Netgear managed switch. This will allow you to set up port-based VLANS. You would need to put a separate Wifi Access point on a VLAN by itself - to provide guest network functionality - but it also may require some redesign of your network. There is planning required for this solution.

The important thing is that you implement a solution that is going to suit your needs and provide security as well as not taking up all of your time. If you are finding that you are spending all your time troubleshooting something or trying to trick something into working correctly - you would be far better off to buy something better to replace it.

Mr. Hoffman - Do you agree?

~Scott