DNS - is it necessary on a LAN?

Similar Messages

• Are firewalls necessary within a LAN?

  I have an intel mac pro desktop and a mac book pro on a lan behind a router. The router has a firewall. If either of the macs has a firewall up they cannot communicate. As I understand it I cannot exempt them from the firewalls as _devices_ but I can exempt _applications_. Any advice or pointers to technical discussions on this issue would be most appreciated. These are probably really dumb questions but I am a newbie at this LAN stuff. Thanks.

  Since you are behind a router's firewall there is no need to activate the OS X firewall.

• E4200v2 on .37 firmware bricked by setting new port address with DNS off

  I hooked up my E4200v2 with the intention of replacing another router, with DNS off. While everything else was disconnected, I used a wired interface to change its address to 192.168.0.1 on the first setup page.  As soon as I pressed "Save Settings", the darned thing turned off all of its ethernet ports and lay dead.  I performed a 30on-30off-30on reset, but the darned thing wouldn't wake up.  I let it sit for a half hour and tried again, with no luck.   I tried again an hour later, and suddenly the Cisco light began to blink. I quickly hooked up my PC to the wired local port, and set my PC's wired interface statically to the new subnet. No luck. Then I tried the original subnet. No luck.  Then suddenly the ports went dead again, never to return to life, despite patient waiting followed by another attempt to 30on-30off-30on reset.  What gives?  Is there some fatal firmware flaw?  Has no one out there done this before?  This router is only about 4 months old.  Is there another reset mode?  It's like the settings poisoned it.  The Cisco light is on solid, but no recovery.

  Puppa wrote:
  I hooked up my E4200v2 with the intention of replacing another router, with DNS off. While everything else was disconnected, I used a wired interface to change its address to 192.168.0.1 on the first setup page.  As soon as I pressed "Save Settings", the darned thing turned off all of its ethernet ports and lay dead.  I performed a 30on-30off-30on reset, but the darned thing wouldn't wake up.  I let it sit for a half hour and tried again, with no luck.   I tried again an hour later, and suddenly the Cisco light began to blink. I quickly hooked up my PC to the wired local port, and set my PC's wired interface statically to the new subnet. No luck. Then I tried the original subnet. No luck.  Then suddenly the ports went dead again, never to return to life, despite patient waiting followed by another attempt to 30on-30off-30on reset.  What gives?  Is there some fatal firmware flaw?  Has no one out there done this before?  This router is only about 4 months old.  Is there another reset mode?  It's like the settings poisoned it.  The Cisco light is on solid, but no recovery.
  You can hard reset the router. Try isolating it using a loop back test or use another Ethernet cable if necessary. If LAN status says, media disconnected then I think you can call tech support for replacement.

• Can't get DNS forwarders to work

  Overview: NAT environment. Need DNS to resolve local hosts to LAN addresses and forward all other requests to OpenDNS servers.
  I've searched the forum high and low but can't get my new 10.5 server to resolve external hosts. I used to do this manually in the past by adding the forwarders directive in the named.conf file and never once had a problem. I used the GUI on this new 10.5 box, and when that didn't work I attempted to add it directly to the conf file as well, which didn't work as well.
  Forward and reverse lookups are working fine, but here's what I get when I attempt to resolve a public host:
  nslookup www.apple.com 10.0.0.2
  Server: 10.0.0.2
  Address: 10.0.0.2#53
  ** server can't find www.apple.com: NXDOMAIN
  I did find a post which mentioned that it could possibly be a firewall issue. I've since turned off the firewall on the server, added a mapping for port 53 and even added the server to the DMZ. Nothing seems to work here. Help!

  OK ... I feel stupid.
  I added 10.0.0.0 to the list of networks to accept recursive queries from. When I changed it to 10.0.0.2/24 everything worked as intended. Doh!

• Basic Mail and DNS help

  I'm sorry to ask something that I'm sure has been dealt with many times. I've searched all around and found many threads that seem very close, but I guess there's some little difference that always ends up confusing me. I also get confused by what seems to me to be ambiguous terminology. Anyway, I'm pulling my hair out, so I've finally decided to ask for help.
  I'm sorry that this post is so long -- I just don't know what bit of info might be important. I'm trying to give a detailed description of my setup so experienced people can give me better advice.
  Here's my situation.
  EXTERNAL DNS
  (1) I've purchased a domain name through my ISP. Let's call it mydomain.tld
  (2) This comes with a very rudimentary control panel that allows me to define 10 A records, 10 CNAME records and 10 MX records.
  (3) I have defined an A record pointing to my static WAN IP.
  (4) I have deifined an MX record pointing to the same static WAN IP.
  (5) This seems to be OK, because if I "dig mydomain.com" or "dig MX mydomain.com" I get my static WAN IP.
  MY LITTLE NETWORK
  (6) The Internet comes into a 4-port router/modem. (192.168.0.x) This is my "Outer LAN"
  (7) One port goes to a Mini with SLS -- Say it's on 192.168.0.99
  (8) Another port goes to another router (192.168.1.x) This is my "Inner LAN"
  (9) I have forwarded port 80 through the outer router to the SLS. That seems to work fine.
  (10) I have also forwarded port 25 through the outer router to the SLS. That does not work yet.
  The SLS
  (11) When I did the initial install, I gave the SLS the name mydomain.private (I some places, Server Admin gives the name mydomain.local ... I don't know why.)
  (12) I set up the INTERNAL DNS on the SLS to handle all initial DNS queries from my LANs, with my ISP's DNS as a forwarder.
  (13) I set up the DHCP on my routers to assign the internal DNS server on the SLS as the primary DNS, and my ISP's DNS server as the secondary -- so clients on my LANS are looking at the right DNS servers.
  (14) DNS seems to work fine on both my LANs.
  BEFORE GOING ANY FURTHER:
  If anyone sees any problems with what I have done so far -- Please say so.
  ... and now THE MAIL
  (15) I created a few network user accounts on SLS.
  (16) Using squirrelmail, they were able to send and receive messages to each other -- using a browser on the SLS machine or a browser on any other computer on the LANs. But this is all resolved through the internal DNS, using mydomain.private
  (17) Mail clients (Mail.app) on the LAN can also retrieve these messages. But I can't send mail using a regular mail client ... and squirrelmail only works internally with mydomain.private
  Now, I want to get my mail server working normally for sending and receiving mail both within my LAN and over the Internet. And here is where I get confused. There's the EXTERNAL DNS server that clients on the Internet will use to find my server -- and there's the INTERNAL DNS server that clients on my LAN (?and possibly some services on the server itself?) will use. Then there are terms like HOSTNAME and DOMAIN NAME ... and I'm not really very clear as to the disnction (despite, or because of, reading so many articles). I don't know where I should be using mydomain.com and where I should be using mydomain.private)
  in the Mail Service Configuration Assistant:
  (18) I use mydomain.com for both the Domain Name (Enter the local Internet domain name) and for the Host name (enter the Internet host name of this mail system). These match the A and MX records of my EXTERNAL DNS (ie. what I see on my ISP's control panel).
  (19) To try to make things easier to start with, I enabled all options for both secure and non-secure authentication.
  (20) I added a host alias mydomain.private
  (21) Setup appeared to go fine.
  (22) Back on the LAN, "dig MX mydomain.com" gives my static WAN IP
  (23) In the outer router, port 25 is forwarded to the SLS
  (24) In SLS, in Server Assistant, In DNS, Mail Exchanger is set to mydomain.private -- this works for sending mail within the LAN only.
  (25) I tried changing this to mydomain.com, and then nothing worked.
  (26) The Nameserver for my primary zone is set to:
  Zone: mydomain.private.
  Hostname: mydomain.private
  When I try to send a message FROM an account on the Internet TO an account on the SLS, I get an error: "Couldn't find a Mail Exchanger or IP address."
  When I try to send a message FROM an account on the SLS TO an account on the Internet, the Mail Delivery System returns it to the sender.
  Well, that's where I stand now.
  I hope people reading will give me some ideas of some other paths to run down, and tests or experiments to try. I'm not afraid of the command line -- but I'm not very experienced with it either -- so maybe there are some useful diagnostic commands that I should know about.
  My ISP is not blocking port 80.
  Is there some way that I can tell if my ISP is blocking port 25? (Their customer support doesn't know anything.)
  Thanks a lot for your attention and patience.
  (Intentionally Blank)

  Oops. Sorry for the delay getting back to you.
  Thanks David_x. That was really helpful information. It opened up more questions, but it gave me some good ideas of things to try.
  I reinstalled SLS. This time I used my FQDN and accepted the installer's
  David_x wrote:
  Firstly, remove the secondary from DHCP. Otherwise clients will 'randomly' use info from either inside or outside DNS. You want them to use the internal DNS so use that alone.
  I see. So "secondary" doesn't mean "in case the primary fails" -- it means something more like "another one in the pool of possible DNS servers". Doesn't that present a problem in the event that my server is down? Why is this preferred as opposed to clearly defined prioritized list? (Then there is another issue of some services using mDNSResponder in some cases and resolv.conf -- at least that's fairly well documented.)
  DNS & Hostname, etc...
  If you want to be able to access services from inside and outside your LAN, using the server's hostname (same one inside and out), then set up your internal DNS using your .com domain, same as is used externally.
  Okay. Got it. I did that with the reinstall.
  DNS is only an "IP lookup" system so you want the hostname inside to resolve to your LAN IP and the hostname outside to resolve to your WAN IP. Forget about the .private stuff - it just confuses things.
  Okay. Thanks.
  Public MX Record…
  (3) I have defined an A record pointing to my static WAN IP.
  (4) I have deifined an MX record pointing to the same static WAN IP.
  The above may not be what you meant to say but just to check… Your public MX record should resolve to your A record hostname. Then the hostname resolves to an IP address. Your MX record should not be pointing directly to an IP address.
  Yes. You are right. That's very good of you to point that out. I did have it pointing to an IP address. (My ISPs simplistic DNS control panel is in Spanish, and I was confused about whether "nombre" referred to a name or number.) I had discovered this through brute force trial and error. This sort of thing was very difficult to test, since I don't have control over many of the DNS parameters (like TTL). That was probably my main problem. Now I can send and receive mail from my server to outside accounts, and from outside accounts to my server.
  At the moment, I can't retrieve mail on my server from a computer outside of my network. I suppose that's an authentication problem, or a hostname alias or something. I'll continue trying different things.
  Testing Port 25...
  To see if port 25 is blocked, get an outside computer and "telnet your-wan-ip 25". If you can switch on logging at the firewall for your port-forwarding rule, all the better as this will be only sure way to see that it is reaching the WAN firewall.
  By "logging at the firewall", I suppose you mean at the router? Alright. I still have to try this. From my point of view, this kind of suggestion is great advice.
  Instead of using an outside computer, would it be possible to do this sort of checking using an anonymizing proxy? I suppose they usually don't allow telnet.
  ...any chance this could be tested from my "inner" LAN? (My guess is that it needs to be from a computer that is "upstream" relative to the "outer" router. I'm under the impression that routers handle upstream connections differently than downstream connections, this wouldn't work.)
  After that, test at server... open Terminal and enter: "tcpdump -v tcp port 25"
  Tcpdump will listen on port 25. When the telnet session gets port-forwarded, you will see a listing of information about the packet received. If you get nothing then the port-forwarding is not working.
  So, to make sure I've got this straight:
  Turn on logging on port 25 in my outer router.
  Go to Terminal on my server.
  Start tcpdump listening on port 25.
  Take my netbook out to some WiFi hotspot (for example).
  Telnet into my server.
  Come home and check my logs.
  (Maybe I should check out this VPN stuff.)
  I'm looking to see that the router forwarded the port correctly.
  That's great trouble shooting advice.
  Now you'll see how slow I am. I'm reading along, running through all of this in my head, imagining all of my steps ... And only now do I realize that if (as of my latest experiments) my server has been able to receive mail from outer accounts -- then the router must be forwarding things and the mail server is, to some extent, working fine. Okay. I'm still going to go through these steps anyway to see what it should look like.
  Server Admin: Domain Name & Hostname...
  The Domain Name is just your domain name... e.g., mydomain.com
  The Hostname is ideally the same as your external MX hostname... e.g., mail.mydomain.com
  The main thing about the Hostname is that this is what your server will report as it's HELO name to other connecting mail servers. Some will check this against the public MX record and use any discrepancy to increase likelihood of spam filtering.
  Is there really any reason that a small setup like mine should use "mail.mydomain.com" instead of just "mydomain.com". Since I don't have a separate machine dedicated to mail, maybe it's just an unnecessary complication. I was just copying what I've seen around (configuration for mail and articles I've read).
  Under Advanced-> Hosting, tick the "Include server's domain as local host alias".
  Okay. What exactly does this do? I understand the words, but not the sense of the phrase. (I find this happening a lot.)
  Checking Server Settings…
  Use a terminal session to debug any basic configuration issues on the server. The error responses are much more informative than just using a mail client. Open Terminal in a local computer… "telnet server-lan-ip 25" and carry out following…
  I could connect with telnet to port 25 on the server:
  (1) From a remote computer.
  (2) From a local client.
  (3) From the server
  As we step through the experiment, you will see that we have a few problems.
  Server Response:
  Trying...
  Connected to fqdn.or.ip.
  Escape character is '^]'.
  220 fqdn.or.ip ESMTP Postfix
  #1. Declare where you are sending the email from:
  HELO something.name
  You can use a real hostname but the mail server has no choice but to accept whatever you type.
  Response: 250 servers.hostname
  So far, so good.
  On remote computers, I couldn't get any further than this.
  I'll try again tonight.
  #2. Give senders address:
  MAIL FROM:<mail@senderdomain>
  Response: 250 Ok
  I could get this to work for either a local email account or a remote email account, from telnet sessions initiated either on the server itself or on a local client.
  #3. Give recipients address:
  RCPT TO:<mail@otherdomain>
  Response: 250 Ok
  Here, I did not get consistent results.
  From a local account to a remote account, I could get "Relay access denied".
  From a local account to a local account, I could get "Recipient address rejected. Service is unavailable. But this was not consistent. I used three different local accounts, and all could send or receive at one time or another.
  #4. Start composing the message:
  DATA
  Response: 354 End data with <CR><LF>.<CR><LF>
  #5. Type a message. Finish with a single "." on a line on it's own.
  Response: 250 Ok: queued as dah,de,da
  #6. Close the connection by typing: QUIT
  Response:221 Bye... Connection closed by foreign host.
  suggestion for hostname.
  Were you going to add something else here?
  Well, any comments or insights that you might add will be very much appreciated. I'm going to continue sending and receiving and making little tweaks. It's really pretty confusing for a newbie. I thank you a lot for all the time you spent reading and helping me.
  (Intentionally Blank)

• XSAN-DNS problem

  I can't be the only person in the world to hit this issue so I figure there must be a clever person out there who can help me fix it. I have posted this question into the General Mac troubleshooting area as well, but since it specifically pertains to XSAN, I am posting here too...
  I have a Mac with two ethernet cards. The Mac is bound to a W2K3 AD and presents LAN services via one card (LAN IP in the 172.16.5.0 range). The other card is connected to a non-routed separate network used for Metadata (Private IP in the 172.16.80.0 range).
  The Mac registers its forward lookup A record in the AD DNS twice, once with the wanted LAN IP address and once with the unwanted Metadata Private IP.
  The Private IP address is not reachable by clients so I don't want it to register.
  This is a major problem because the LAN network is not a single IP range, it is itself routed to other subnets (172.16.4.0 for example). Microsoft DNS always hands out IP addresses closes to the destination when it can. So clients in the same IP range as the LAN (172.16.5.x) get the correct IP address when they query, but clients in the 172.16.4.0 range, because of the round robin nature of AD DNS, are served out the wrong IP address 50% of the time (i.e. half the clients given the 172.16.5.x address and half given the 172.16.80.x address), those given the .80 address obviously fail to connect.
  On Windows, it is possible in the GUI to specifically set a network card's properties not to register with the DNS. On the Mac this setting is absent in the GUI.
  I assume there is a setting I can throw from terminal to block dynamic DNS registration for a specific ethernet card, whilst retaining it for the one I want. But I cant find it.
  Can anybody point me in the correct direction please?

  Thanks for your thoughts, Yeah, I tried that, I put in a search domain for that NIC which did not exist in DNS as a zone, thinking that even if it then tried to register, it would fail because the zone name didn't exist. Nada. Didnt work. It still stuck the second IP address into the DNS.
  I have asked Apple for help under AppleCare Premium Support, but of course Apple caveat their support to avoid them having to look after 3rd party systems. Which is fair enough; but on the other hand is also not fair enough since I don't want support on Windows, Microsoft and the world at large provide a perfectly competent mechanism for that. I want support on Mac OSX, but since it pertains to a Mac "feature" that is connected with Windows, they have already told me they won't help.

• Configuring airport DNS servers

  I use an airport extreme base station which connects to the internet via an ethernet DSL connection. The airport TCP/IP settings are DHCP. The DNS servers, however, show 192.168.1.1 and not the DNS settings of the DSL. As a result the internet connection on my MacBook Pro is patchy at best with some pages that open and images not showing up. The only way I resolve this is by manually setting the DNS servers in my settings on the laptop. I have tried manually setting the DNS configuration on my Airport but for some reason this does not broadcast to all the computers in my house. The DNS settings that do appear on computers are the standard 192.168.1.1 and not the actual DNS. I cannot seem to figure out why the airport is doing this. Any suggestions would be appreciated.

  I am also wondering if it is possible to turn DNS relay off on an Airport Extreme or Airport Express. I am using the latest firmware on both devices, 7.6.1 and they are the latest model.
  Regarding your question about DNS servers; the IP address that shows in your device as a DNS server is the Airport Extreme LAN IP address. DNS queries will be sent to that device, and the DNS settings which it uses will be used to look domain names up.
  So, for now, put the DNS server addresses you'd like to use on your Airport Extreme. This is done through the Airport Utility, under Internet > Internet Options.
  Also, as a final note, try the ' namebench ' program to find the best DNS servers available. It helped me choose ipv4 dns servers and I'm noticing a difference in loading times.

• Split-horizon DNS server

  Hi,
  is it possible to use novell-named on OES 2 Linux to create split-horizon DNS server? Something like this: Two-in-one DNS server with BIND9 | HowtoForge - Linux Howtos and Tutorials. What I want to achieve is "to resolve to internal IPs when you are inside and external IPs when you are outside".
  We have some services (web applications, Groupwise messenger etc.) which can be accessed from the LAN using private addresses and which are also visible from the public network (Internet).
  Currently we have Netware 6.5 with DNS Proxy binded to internal address and some hostnames bound to internal IP addresses inside hosts file (and therefore resolved by DNS Proxy with private addresses for LAN clients) and named bound to public IP and serving DNS requests from public network. But we'd like to migrate everything from Netware to OES 2 Linux.
  Any help is much appreciated!
  Bruno

  Originally Posted by joharmon
  Just found this:
  Is Views for DNS Supported or Possible on NetWare or OES?
  Bad news but thanks for your answer!
  Bruno

• 10.4.4 update and now my DNS zones aren't visible!

  After the 10.4.4 update, I can't see my DNS zones, and the log says there are now errors . for example: servermgr_dns: Bad zone file for zone macs4ever.com MX/CNAME line: "@" before A line. Ignoring.
  This wasn't an issue before. Has something changed in the zone formatting?
  What file can I edit to correct the syntax if needed.
  I appreaciate your time and assistance,
  matt caswell

  Note that I write my own zone files and prefix them with "db." just so that I do not overwrite the default ones. The name of the zone file is in itself not critical, as long as the correct file is referenced in named.conf.
  My zone definitions in /etc/named.conf...
  // a caching only nameserver config
  zone "." IN {
  type hint;
  file "named.ca";
  zone "localhost" IN {
  type master;
  file "db.localhost";
  allow-update { none; };
  zone "0.0.127.in-addr.arpa" IN {
  type master;
  file "db.127.0.0";
  allow-update { none; };
  zone "foo.com" in {
  file "db.foo.com";
  type master;
  zone "0.0.10.in-addr.arpa" IN {
  file "db.10.0.0";
  type master;
  ============================
  The Zone Files in /var/named...
  ============================
  Zone File "db.localhost"
  $TTL 86400
  localhost. IN SOA server.foo.com. postmaster.foo.com. (
  42 ; serial (d. adams)
  3H ; refresh
  15M ; retry
  1W ; expiry
  1D ) ; minimum
  IN NS server.foo.com.
  IN A 127.0.0.1
  ====================
  Zone file "127.0.0" (reverse zone for localhost)
  $TTL 86400
  0.0.127.in-addr.arpa. IN SOA server.foo.com. postmaster.foo.com. (
  2006011511 ; Serial
  3h ; Refresh
  1h ; Retry
  1w ; Expire
  1h ) ; Minimum
  0.0.127.in-addr.arpa. IN NS server.foo.com.
  1.0.0.127.in-addr.arpa. IN PTR localhost.foo.com.
  ==========================
  Zone file "db.foo.com"
  $TTL 86400
  foo.com. IN SOA server.foo.com. postmaster.foo.com. (
  2005101301 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  ; NAME SERVERS
  foo.com. IN NS server.foo.com.
  ; ADDRESSES FOR CANONICAL NAMES
  localhost IN A 127.0.0.1
  server IN A 10.0.0.1
  ; ALIASES
  ical.foo.com. IN CNAME server
  mail.foo.com. IN CNAME server
  ftp.foo.com. IN CNAME server
  ; MAIL RECORDS
  foo.com. IN MX 0 server
  ======================
  Zone File db.10.0.0 (reverse zone for foo.com)
  $TTL 86400
  0.0.10.in-addr.arpa. IN SOA server.foo.com. postmaster.foo.com. (
  2006011500 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  0.0.10.in-addr.arpa. IN NS server.foo.com.
  ; REVERSE LOOKUPS
  1 IN PTR server.foo.com.
  ========================
  Note that you may have different records but hopefully you get the drift of it.
  "Bad zone file for zone domain.com MX/CNAME..."
  The particular cause, for me, of the above error was that, in db.foo.com, I used to have the following for the MX record...
  foo.com. IN MX 0 mail
  This created the error message as there was not a direct A record for 'mail'. The amended zone file now works... but...
  I still have an issue with this... In my case my DNS is purely for the private LAN but if it was a public DNS then I would have needed to set up the server with a hostname "mail.foo.com" instead of "server..." and then alias 'server' to 'mail'. Something you really should know before setting up the server
  (Actually, I don't even know why I have the MX record in the internal DNS as the mail server can function quite happily without it.)
  Anyway, I find this on-line reference really handy although you can get a bit 'lost' in all the links within it...
  http://www.zytrax.com/books/dns/
  Have fun.
  -david

• Please please help! I have messed up the DNS Settings on 10.8 server

  Just started a new job and am in charge of managing the Mac Server. I have lots of Mac experience, but very little Mac OS X Server experience.
  I used my MBP to access the server (which is a headless Mac Mini) and after I did so the settings were pretty messed up. In particular the Computer Name, Host Name, and DNS name were wrong or missing. I was able pretty easily to get the first two fixed, but not DNS.
  I can reach the server via the IP, but NOT the domain name. (We were able to do this before I messed things up).
  When I run
  cat /etc/resolv.conf | grep nameserver
  I get 4.2.2.2
  which is the forwarding server
  I have tried turning DHCP on and off, never works.
  When I run
  cat /etc/resolv.conf | grep nameserver
  I get
    nameserver[0] : 4.2.2.2
    nameserver[0] : 150.2.0.30
    nameserver[0] : 4.2.2.2
  The 150.2.0.30 is what I have for the DNS entery in the Network Control Panel
  When I run changeip -checkhostname under sudo I get
  macserver:~ bryanschmiedeler$ sudo 
  Password:
  Primary address     = 192.168.x.x
  Current HostName    = server.example.com
  The DNS hostname is not available, please repair DNS and re-run this tool.
  dirserv:success = "success"
  Any help would be GREATLY Appreciated!
  Bryan

  Here are instructions for setting up DNS on OS X Server; select the show-all-records option on Server.app in 10.7 and 10.8, and those instructions should get you to a working configuration.
  Your DNS server on OS X Server should refer to itself, via 127.0.0.1 address; the "localhost" address; IP networking's version of "self" or "me".  This 127.0.0.1 reference is a special case, and only applicable to the DNS server's references to itself.  All other hosts on your network should refer to your OS X Server DNS server by its assigned private static IP address on your LAN; whatever 192.168.0.0/16 address you're using for your DNS server.  If you should have more than one DNS server on the LAN (commonly used for better reliability), each DNS server will refer to 127.0.0.1 and to the private static IP address of the other DNS server.
  Do not refer to off-LAN DNS servers.  Do not refer to ISP DNS servers, or the old Verizon DNS servers (in use here) nor to the Google DNS servers.  To get local translations of private-block IP addresses such as your use of a subnet within 192.168.0.0/16, the server and the local clients must refer to the local DNS server.  (Not to off-LAN DNS servers.)  That means either manually-configured DNS server settings for static-addressed servers, and configuring the DHCP server to pass out only — only — the address of the local DNS server(s) to DHCP clients, and to not pass out any off-LAN server address(es).
  Half the planet is probably using a subnet in the 192.168.0.0/16 private block, so obfuscating that range just means you might be running in one of the two the more problematic subnets, 192.168.0.0/24, or 192.168.1.0/24, but we can't tell.  Those will cause issues with potential future use of VPNs with this network.  Best to avoid those two subnet blocks.

• Trying to go to a WAN address that points back to my LAN

  Hello I am trying to go to dev.xxxxxxx.com that points to my main interface IP. It works when I am outside the network. But when I am in the lan I have to go to the LAN address. What do I need to do?

  Hi,
   As per my understanding you have hosted this web server with in your network so when you are accessing it from external it uses the public DNS entry and uses the public IP address however when you are in your LAN network it routes directly to its private/LAN IP address. check the local DNS in your LAN where it points to if you dont have DNS locally and you are using LAN IP to access this server you can create DNS entry.
  Thanks & Regards
  Sandeep

• How to setup DNS correctly

  Dear all,
  I'm trying to setup my first macmini-server correctly so that i can access files and ical chances of my coworkers when I'm on the road. After reading many posting I now it is important to set up the DNS correctly, as many things depend on this.
  Still I get this messages in the "Next Step"-pdf after the installation:
  http://dl.dropbox.com/u/427417/dns%20configruation.jpg
  This is my DNS-setup:
  - I have one static IP: 80.xxx.xxx.222
  - I made a A-Typ entry at my Domain-Registrar: miniserver.example.com => 80.xxx.xxx.222
  - My ISP made a PTR Entry in his DNS-Servers: 80.xxx.xxx.222 => miniserver.example.com
  Both are working when I test it with: http://www.mxtoolbox.com/
  And this is my hardware-setup:
  Modem => linksys 160N-Router with public IP 80.xxx.xxx.222 =>switch => 4 Macs and my macminiserver with a fixed internal IP (192.168.1.133 made with DHCP-Reservation on the Linksys Router). FTP-Portforwarding to 192.168.1.133
  What confuses me is the fact, that I can turn on FTP on the miniserver and access it from outside with a ftp-client using "miniserver.example.com" as the server name. For me this working FTP-connection looks like I have setup the Public IP/DNS things right? But why I still get the is message in "next Step"
  I'm glad about any reply which helps me to understand the this.
  Dietmar
  Message was edited by: dietmar
  Message was edited by: dietmar

  Dear MrHoffman
  Thank you for your answer. It looks like in your answer is everything I need to now. But as I'm not a professional I only understand your recommendations partially. Here are my thoughts about it:
  MrHoffman wrote:
  You'll usually want an external static IP and an external DNS domain that gets you to your firewall device, and then you implement a VPN at the firewall to connect to your LAN. The external DNS is (or static IP) is how you get connected to your firewall.
  I do have a external static IP: 80.xxx.xxx.222 and DNS domain: miniserver.example.com which both gets me to my firewall (within the linksys router). So I think I've got this part right?
  Within your LAN, here's [getting DNS going|http://labs.hoffmanlabs.com/node/1436]; but that's LAN-local stuff and useful for getting around once you have the VPN connected. You probably don't want to be serving public DNS; leave that to your ISP.
  And yes, Mac OS X Server does really want to have DNS for itself either running locally on the box or within other DNS server(s) in your environment, and that usually then gets extended to running DNS for the rest of your LAN.
  Setting up DNS on the Macmini Server for my local LAN will be my next task, but as this would be a to long post I would like to ask you in a extra post about this. As I understand from your answer, I do server public DNS at the moment, also I did not intend this !!!
  I generally encourage using an [external firewall-based VPN|http://labs.hoffmanlabs.com/node/275], as that approach simplifies the requirements here and particularly when you're using NAT as is typical. You VPN to the firewall, then the connection works like you're on the LAN.
  My linksys router supports VPN-Passthrough and server-admin has the VPN-Service. Will this two do what you are recommanding me. I know I have to read into VPN first, before digging questions into others.
  [ftp is nasty|http://labs.hoffmanlabs.com/node/530] in several dimensions (your credentials are exposed in cleartext, and it requires a fancy firewall or the ephemeral port range to be opened on one of the intervening firewall), and usually best avoided during debugging. ftp is older than the internet, and largely incompatible with firewalls. VPNs or sftp is usually a better approach (and because you can use certificates or such, you can reduce your exposure to brute-force password attacks or password sniffing), save for anonymous ftp access or file drops, and only get around to setting up ftp once you get the rest of your network working here.
  FTP was only for testing, as I thought it is a simple way to test access to my server.
  As for your confusion, in your zone-level settings, you have the name server referring to the name server itself as its forwarding entries; this definitely won't work. Look at my notes and specifically look for the details on setting up the forwarding entry for the zone. This is the zone-level display (your http://dl.dropbox.com/u/427417/dns1.png) and the nameserver: field. That needs to be your upstream DNS provider.
  As written before, Local-DNS is the next thing to do/learn for me. But I have to leave for now to support a friend with his Mac thank you for your answers
  Dietmar
  here are my screenshot when setting up the mac osx server:
  http://dl.dropbox.com/u/427417/networkname.jpg
  http://dl.dropbox.com/u/427417/Hostname.jpg
  Did I made something wrong here?
  Is the field "Primary DNS Name" for local or public DNS ?? I thought it is for public: miniserver.example.com

• DNS resolving to external IP when ping.

  Hi expert folks...have a question....when pinging to some of the client with in the LAN it resolve to external public IP instead of private IP ...i had checked and confirmed the client that that clients configured to DNS server IP with in the LAN.No external
  DNS been configured...this doesn't not occur all the time with all clients...its happened some time with some clients...after few minutes when we re-ping or after refresh it is back to normal private IP.....Could please advice what could be the possibility
  of this..?

  Hi...Thanks for your guidance ...I had verified the configuration you mentioned on your post... DNS search suffix order was fine so i haven't made any changes on that ...also TTL time remains as default...i found that some clients have external
  DNS on their DNS configuration list ...I had removed those........still i wonder even if external DNS configured it should be only in action ,when primary and secondary internal DNS cannot resolve .Also another interesting this i noticed ,when the address
  resolved to external DNS the TTL is 65 and when it resolve to internally TTL 128 for all clients.I guess it  jumping to external DNS bypassing internal DNS servers.So far i haven't experience same issue again that's why I cannot provide the outcome of
  nslookup...appreciate your help and guidance.
  The root cause was the external DNS servers on your clients. The DNS client side resolver service algorithm, looks at the first entry, and ONLY if it does not answer, which results in a NULL or NACK response, will it go to the second entry. If it does answer,
  even if the answer is an "I don't know," the client will take that as an answer and look no further. This algorithm, in case you're wondering, which many do, is not just the way Microsoft operating systems work. It's based on the IETF RFC industry standards
  that all manufacturers must adhere to.
  The proper way to configure all machines, especially in an AD environment, is to only use your internal DNS servers on every machine, nothing else, including the router as a DNS address (you would be surprised how many do use that because the ISP told them
  it's ok), and in your DNS server properties, you can optionally configure a forwarder to your ISPs. That's the only place any external DNS servers can exist internally, in a Forwarder or Stub.
  More on the resolver service:
  This blog discusses:
  WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
  Client side resolution process chart.
  The DNS Client Side Resolver algorithm.
  If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
  DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
  Client side resolution process chart
  Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
  http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
  DNS Clients and Timeouts (Part 1 & Part 2), karammasri [MSFT] Dec 2011 6:18 AM
  http://blogs.technet.com/b/stdqry/archive/2011/12/02/dns-clients-and-timeouts-part-1.aspx
  http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• KT4-ULTRA FISR NO LAN DETECT

  I have this problem:
  in the bios at
  Integrated Perimetrals > OnBoard PCI Controller
  1. Serial Ata Controller
  2. 1394 Controller
  3. Audio Controller
  the lan controller???  
  I dont see...?? ?(
  I have canghed the bios from version 1.2 to version 1.3 and from 1.3. to 1.2 but the Lan controller dont see...!
  why the problem?? the chip Broadcom is on board... but dont work!!
  my configuration are:
  - MSI KT4-Ultra FISR whit bluetooth module bios 1.3
  - AMD Athlon XP 2400+
  - 512 MB DDR333 Geil ULTRa Cs 2
  - SK Video ASUS V8200 Dlx Ti500
  - 1 hdd 40 GB Ata 133 P.M.
  - 1 hdd 80 GB Ata 133 P.S.
  - 1 hdd 60 GB Ata 133 Ata Raid
  - 1 DVD rom S.M.
  - 1 Yamaha F1 S.S.
  Bye...!
  Excuseme for my english I'm Italian and speak so so the language...

  Okay, I assume the new 1.4 bios they are working on will address this problem? Or perhaps not? This problem as I see has been discovered last year, yet how many bios updates were released since? None of them remidying this situation.
  The KT4 Ultra FISR is a really nice mainboard, but the lack of support and/or broken LAN controller really makes it look bad.
  Flashing the bios and clearing the cmos simply wont work. This shouldnt be necessary when the LAN just dissapears on its own without any cause. If it isnt a bios bug, then its clearly a board flaw.
  Is that why this problem has been covered up quite well? If there hasent been a bios fix, then i would guess that it is a flaw that is still not being publicly made by MSI themselves.
  If theres a known fault with a product, i expect to be known about it. This problem has shown up enough to be a known flaw.
  No, checking the winblows "device manager/tackler" wont show it, clearing the cmos wont show it, flashing the bios 10000 times wont make it show either. The device doesnt even exist on the mainboards pci table, its gone, not there, poof, kapoot, vanished.
  PCI devices found:
    Bus  0, device   0, function  0:
      Host bridge: VIA Technologies, Inc. VT8377 [KT400 AGP] Host Bridge (rev 0).
        Master Capable.  Latency=8.  
        Prefetchable 32 bit memory at 0xe0000000 [0xefffffff].
    Bus  0, device   1, function  0:
      PCI bridge: VIA Technologies, Inc. VT8235 PCI Bridge (rev 0).
        Master Capable.  No bursts.  Min Gnt=12.
    Bus  0, device   7, function  0:
      Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 16).
        IRQ 10.
        Master Capable.  Latency=32.  Min Gnt=32.Max Lat=64.
        I/O at 0xec00 [0xecff].
        Non-prefetchable 32 bit memory at 0xdfffff00 [0xdfffffff].
    Bus  0, device  12, function  0:
      Multimedia audio controller: C-Media Electronics Inc CM8738 (rev 16).
        IRQ 11.
        Master Capable.  Latency=32.  Min Gnt=2.Max Lat=24.
        I/O at 0xe800 [0xe8ff].
    Bus  0, device  16, function  0:
      USB Controller: VIA Technologies, Inc. USB (rev 128).
        IRQ 11.
        Master Capable.  Latency=32.  
        I/O at 0xdc00 [0xdc1f].
    Bus  0, device  16, function  1:
      USB Controller: VIA Technologies, Inc. USB (#2) (rev 128).
        IRQ 5.
        Master Capable.  Latency=32.  
        I/O at 0xe000 [0xe01f].
    Bus  0, device  16, function  2:
      USB Controller: VIA Technologies, Inc. USB (#3) (rev 128).
        IRQ 12.
        Master Capable.  Latency=32.  
        I/O at 0xe400 [0xe41f].
    Bus  0, device  16, function  3:
      USB Controller: VIA Technologies, Inc. USB 2.0 (rev 130).
        IRQ 10.
        Master Capable.  Latency=32.  
        Non-prefetchable 32 bit memory at 0xdffffe00 [0xdffffeff].
    Bus  0, device  17, function  0:
      ISA bridge: VIA Technologies, Inc. VT8233A ISA Bridge (rev 0).
    Bus  0, device  17, function  1:
      IDE interface: VIA Technologies, Inc. VT82C586B PIPC Bus Master IDE (rev 6).
        IRQ 14.
        Master Capable.  Latency=32.  
        I/O at 0xfc00 [0xfc0f].
    Bus  1, device   0, function  0:
      VGA compatible controller: PCI device 1002:514d (ATI Technologies Inc) (rev 0).
        IRQ 11.
        Master Capable.  Latency=32.  Min Gnt=8.
        Prefetchable 32 bit memory at 0xc0000000 [0xcfffffff].
        I/O at 0xc800 [0xc8ff].
        Non-prefetchable 32 bit memory at 0xdfef0000 [0xdfefffff].
  Hello?? Anybody home? Think Mcfly think!
  edit:
  Yes the IEEE1394 and RAID controller isnt there, thats because it is disabled in the bios, and can be reenabled just as easily, unlike the Broadcom LAN controller, that isnt even there to enable anyways.

• How to prevent Mac DNS registration with W2K3 DNS

  I have a Mac with two ethernet cards. The Mac is bound to a W2K3 AD and presents LAN services via one card (LAN IP). The other card is connected to a non-routed separate network used for other purposes (Private IP).
  The Mac registers its forward lookup A record in the AD DNS twice, once with the wanted LAN IP address and once with the unwanted Private IP.
  The Private IP address is not reachable by clients so I don't want it to register. Because of the round robin nature of AD DNS, it serves out the wrong IP address to 50% of LAN clients, who then fail to connect.
  On Windows, it is possible in the GUI to specifically set a network card's properties not to register with the DNS. On the Mac this setting is absent in the GUI.
  I assume there is a setting I can throw from terminal to block dynamic DNS registration for a specific ethernet card, whilst retaining it for the one I want. But I cant find it.
  Can anybody point me in the correct direction please?

  I think you will have a better chance of seeing your problem solved if you post on the XServe or Server forums.