Open DNS vs TWC DNS (Dallas)

Similar Messages

• Obtaining DNS servers automatically on Cisco ADSL routers;" not static dns with command dns-server x.x.x.x" ?

  Obtaining DNS servers automatically on Cisco ADSL routers;" not static dns with command dns-server x.x.x.x" ?

  Ok Thank you Karsten

• DNS lookups without DNS server

  Hi Community,
  some user in a German forum are reporting a functional DNS resolution without a configured DNS name server. Is there a hidden feature in the actual Snow Leopard release which make this possible?
  Thx & Bye Tom

  Kiwi Graham wrote:
  Sounds like an oxymoron to me - doing a DNS lookup without DNS?
  Yes, I agree.
  It is certainly possible to store a set of local mappings, but it'd be a subset of the domain universe and it'd also be static. So further resolution would have to go out to a DNS server.
  I thought that maybe it could be possible that there is an internal fallback server configured. But it seems that it isn't, because should this be a fact, more user should know this.
  More information?
  No sorry. I asked both user to make a tcpdump on port 53 to determine the answering DNS server but I got no response. But thanks for your attention
  Bye Tom

• WRVS4400N DNS Options for Open VNS Using Static DNS

  How can I get an ip address automatically from my ISP, but set a static DNS ip address for using Open DNS service? This can be done on many other routers including the Linksys home routers. Why doesnt it exist on WRVS4400N?

  I was doing some reaserch on this router, notice the routers RV series are the ones that had this feature, however in the WRVS  series this option does not exist, you can get a RV series router and use the WRVS as a access point in order to get your wireless sinal.

• Why doesn't VPN DNS override adapter DNS?

  There are DNS servers that help me get around my work network.  But when I'm away from the office I only want to use these DNS servers if I'm connected to VPN, else I want to pick up the default DNS.
  There's an option to configure DNS addresses for VPN connections.  However, these never get used as far as I can tell.  As long as the DNS server I want to use is missing from my adapter's (e.g. wifi or ethernet) DNS settings, I will not ever see the machines whose addresses are resolved by my work network's DNS.
  I've seen this reported other places but no solution.  Is it possible that this could be fixed in a future update?  As for now, I have to switch "locations" (i.e. Apple menu --> Location) instead of having one setting that works everywhere.  That, or use IP addresses instead of computer names.
  Alternatively, I'd like the DNS servers that I add manually to be *in addition* to the servers that are picked up automatically.  Right now, if I add my work DNS, then I also have to add a public DNS just to get to the internet when outside of work.  I'd like to add my work DNS to my ISP or home network's DNS.

  The problem is when  switching between networks the last Dns server are cached.
  For example say my works dns is 10.10.10.1 and 10.10.10.2. If u go home and connect to my wifi they should no longer be there and visible in the Network preference pane but they are.
  The only way is to have different locations set or to do it from the command line
  networksetup -setdnsservers "Built-in Ethernet" "Empty"
  https://discussions.apple.com/thread/377247?start=0&tstart=0

• Open dns resolver issues on windows server 2008 R2

  my client is running a windows 2008 r2 server with dns and dhcp roles. it's not a domain controller, just a workgoup server.
  got a notification from my client's isp:
  "These attacks have been facilitated through DNS
  amplification attacks. AT&T has detected these attacks and has confirmed
  that the IP address x.x.x.x allocated to your Internet access account is
  accessible from the Internet as an open DNS resolver. "
  tried disabling recursion, but then there is no access to the internet.
  tried disabling the firewall rule for dns udp, and no access to the internet.
  does anyone have any idea how to correct this? do i need to add a public dns server to my dhcp scope for internet access? if i do, then what good is a dns server and it doesn't resolve internet addresses?
  Gary

  Just to add, I was wondering why you had port 53 opened to your DNS servers. And just to point out, that rule you created is a port translation rule that allows access to your DNS server from the internet, just as if you had created a rule to allow access
  to an internal web server for public use, or for allowing webmail (OWA) access from the internet to your internal mail server.
  What you did, as Keith said, will stop that, but to further point out, the rules are not really needed again, I would just remove the rules completely. For internet access, such as allowing your users to access websites, your DNS to resolve external names
  (whether using Root hints or a Forwarder), just about any firewall will allow that out-of-the-box. In some firewalls, you have to create a rule to the outside untrusted interface to "allow established" meaning when an internal request goes to an outside resource,
  such as a website, to allow the response back in.
  The only time you want to create rules is either you want to allow inbound traffic with a port translation rule (such as what you originally unknowingly did for TCP & UDP 53) to a web server, OWA, SMTP traffic to a mail server, etc.), otherwise,
  leave it out of the box.
  As for what the ISP is concerned about regarding DNS amplification attacks, is that they are a fairly recent method for attackers to create a DOS (denial of service). You can read up at a couple of recent discussions about what all that means in
  the following threads, with ways to stop or mitigate them.
  Best way to reduce or disable DNS amplification for external DNS?,
  Sunday, June 16, 2013 6:08 PM
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/d087a768-2075-49e4-afec-4fd23b50af0a/best-way-to-reduce-or-disable-dns-amplification-for-external-dns
  Protecting Windows DNS Server from being abused for DNS amplification attacks,
  Wednesday, April 10, 2013 8:05 AM
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac86dc7-779d-48eb-a113-9c06c2222af9/protecting-windows-dns-server-from-being-abused-for-dns-amplification-attacks
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• Cisco Linksys E3000 - Open DNS Error

  I just purchased a Cisco Linksys E3000 and got it set up pretty much the way I want it. My only remaining problem is I wish to used Open DNS as my DNS server. On Line chat support says,"Please access router set up. Under the set up tab you will see the option for DNS1 and DNS2 please change it to 208.87.222 & 208.67.220 and save settings". I replied"I am on the basic set up page and currently I see Static DNS 1 thru 3 which are currently all zeros is that where you want me to put the new DNS numbers?"
  I made the changes as directed, saved and also flushed the DNS cache in Windows and in Firefox, rebooted and everything worked great.
  The problem is if the computer goes to sleep or is shut down when it restarts it cannot find the DNS server! What am I missing?
  Thanks

  Thanks for your help. This one really has me baffled
  As you can see below the static DNS is set to 3 adddresses for Open DNS and everthing works fine.untill either the computer goes to sllep or is shut down. Then the router can no longer locate a DNS server. The only way I can find to get everything working again is to zero out the address for Open DNS and reboot the router which somehow reestablises the DNS servers as:
  DNS Servers . . . . . . . . . 156.154.119.11
                                         156.154.129.11
                                         192.168.1.1
  You can also this below and I hope you have some idea of what is happening. I never had this problem before with any other routers on this system.
  Thanks,
  Chick
  C:\Windows\system32>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : Dominator
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Local Area Connection 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : TAP-Win32 Adapter V9
     Physical Address. . . . . . . . . : 00-FF-8F-A2-D9-9F
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Local Area Connection 2:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet #
  2
     Physical Address. . . . . . . . . : 00-04-4B-14-AE-3F
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::6d9a:9c78:1a19:fbfa%19(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.133(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Saturday, September 24, 2011 2:57:14 PM
     Lease Expires . . . . . . . . . . : Sunday, September 25, 2011 3:07:26 PM
     Default Gateway . . . . . . . . . : 192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 469763147
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-75-07-8A-00-04-4B-14-AE-3F
     DNS Servers . . . . . . . : 208.67.222.222
                                         208.67.220.220
                                         208.67.220.222
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{13320496-B6EC-4CA2-9952-BDB3B51EED80}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 12:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{8FA2D99F-77B6-4DB6-9F88-C9952D1BE3EF}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Windows\system32>
  After Zeroing out Static DNS from Open DNS Address I get:
  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  C:\Windows\system32>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : Dominator
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Local Area Connection 2:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet #
  2
     Physical Address. . . . . . . . . : 00-04-4B-14-AE-3F
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::6d9a:9c78:1a19:fbfa%19(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.133(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Saturday, September 24, 2011 3:38:12 PM
     Lease Expires . . . . . . . . . . : Sunday, September 25, 2011 3:38:12 PM
     Default Gateway . . . . . . . . . : fe80::c2c1:c0ff:fe7b:a655%19
                                         192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 469763147
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-75-07-8A-00-04-4B-14-AE-3F
     DNS Servers . . . . . . . . . . . : 156.154.119.11
                                         156.154.129.11
                                         192.168.1.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter Local Area Connection* 12:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3451:dea:3f57:fe7a(Prefe
  rred)
     Link-local IPv6 Address . . . . . : fe80::3451:dea:3f57:fe7a%10(Preferred)
     Default Gateway . . . . . . . . . : ::
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter isatap.{13320496-B6EC-4CA2-9952-BDB3B51EED80}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Windows\system32>

• ISP Reporting Open DNS Resolvers

  I have a WRV210 in stalled at a remote client, it is set to do a point to point VPN tunnel to the company office (Windows server) another 210 at the other end.
  Behind this specific unit are 2 Windows workstations(XP). The client just received the following email from AT&T:
  AT&T has determined that a device using your Internet connection is configured to run an open Domain Name System (DNS) resolver. A DNS resolver was observed answering public queries at Jan 7, 2014 at 7:06 PM EST at the IP address X.X.X.X. Our records indicate that this IP address was assigned to you at this time.
  Open DNS resolvers can be used for network attacks, presenting additional load on your Internet access and resulting in unreliable service.
  An open DNS resolver allows users on the Internet to perform DNS requests on your server. This is considered an insecure configuration and in the majority of cases, Internet subscribers should not operate an open DNS resolver. The open DNS resolver may be present due to a default operating system installation or system configuration issue. In some cases, network devices such as home wireless routers have flaws that expose DNS service to the Internet.
  To address this problem we ask that you take the following actions. If your computer(s) are managed by an Information Technology (IT) group at your place of work, please pass this information on to them.
  If you use a wireless network, ensure that your wireless router is password-protected and using WPA or WPA2 encryption (use WEP only if WPA is not available). In addition, ensure that the router is not configured to provide open DNS services (consult the manual for your specific hardware). Check the connections to the router and ensure that you recognize all connected devices.
  If your environment requires you to run an open DNS resolver, please limit access via an ACL, rate limiting, or another method to minimize abuse of your server. Visit http://www.team-cymru.org/Services/Resolvers/instructions.html for additional technical information on preventing abuse.
  Thank you for your prompt attention to this matter. We welcome your feedback and questions on this matter. Please contact us at [email protected] with any questions you may have.
  I have no port forwarding setup nor do I have any port triggering. The workstation is not setup in the DMZ, the inside network is setup as 192.168.1.x
  Can anyone point me in the right direction to resolve this?
  Thank you.

  My brother uses the Cisco WRV210 for his home wireless network and he has the same issue.  He received the below warning from his ISP.  The ISP provided this link http://www.thinkbroadband.com/tools/dnscheck.html to run a DNS check for this issue.  I have reset the router to factory settings and upgraded the firmware but it did not resolve the issue.  I have checked that all of his devices are clean of viruses and malware to the best of my ability.  Even my own laptop, which is fine with my own home network, reports of this DNS resolver issue when I run the dnscheck when connected to the WRV210.  This issue is beyond my knowledge and expertise.  His ISP has terminated his service twice already as a warning, each time having to demand to have it restored.  As a result I reinstalled my brother's 10 year old D-Link router and although it is noticeably slower, it does not exhibit this problem.
  Any assistance is greatly appreciated!
  Please be advised that we have received a report that your provisioned IP address is operating as an Open DNS server permitting unrestricted Recursive DNS Queries from anywhere on the Internet.
  Open recursive DNS resolvers; have been used to generate an increasing number of extremely large reflective DDoS attacks, without needing a large number of infected hosts to launch the attacks.
  Additional risks of open recursive resolvers include resource consumption by outside users without your consent, and, perhaps possible cache poisoning from outside entities.
  For more information on the problems associated with Open DNS Recursion and assistance in remediation this threat, can be obtained from the site below.
  http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
  if you are not running a DNS server and are using a home gateway or router, it may be possible the router is running a DNS server. Usually, the DNS server should only be accessible to the computers inside your home, however if configured incorrectly, it may make the DNS server accessible to the entire Internet. If you suspect your router may be the cause of this activity, we suggest contacting your router manufacturer's support desk for assistance in reconfiguring your router.
  Please note that each end user is responsible for the security of their computer system while connected to the network and thus is ultimately responsible for network abuse that is conducted through such configurations. Failure to take the appropriate measures to prevent network abuse through your internet account may result in a service interruption / account termination.

• DNS, Open Directory, and wow my head hurts

  OK, I’m slowly pulling my ear hairs out over this.  My comprehension of the DNS world is modest at best (I know enough to get into trouble). I did not set up most of this (not the DNS parts anyway), and I’m trying to unravel what exactly is going on.  Maybe it’s exactly as it should be; but it seems awfully convoluted to me, so if you’re bored and want to show off your expertise and ability to explain it to a kindergartener, please read on…
  Let’s say my Domain is mydomain.com. (You can probably figure out what it really is, but I’d rather not sprinkle a post with it.)
  Our firewall is a Sophos UT320. It obviously supports forwarding of DNS info from our ISP.  While it’s own documentation says it does not have a full-fledged dns server, it does have something called “Static Entries” which seems to be a bare-bones dns server of sorts. I can set any static domain name (myserver.mydomain.com for example), point it to a server on our lan, and everyone internally can get to that server by using myserver.mydomain.com instead of 192.168.blah.blah.  It also supports reverse DNS, so if I issue a host 192.168.blah.blah command from my computer, I get “blah.blah.168.192.in-addr.arpa domain name pointer myserver.mydomain.com.” My guess is that it’s only serving up A records.  No one from outside our LAN can access these servers or records (unless they’re on a VPN of course).
  Now, in our lan, we have a bunch of Mac Servers.  Our Open Directory server has DNS service enabled on it, and the primary zone is set to od.mydomain.com.  It has some A records pointing to myserver.mydomain.com, myotherserver.mydomain.com, etc.
  Another server, located at, myserver.mydomain.com, has a DNS service who’s primary zone is mydomain.com (yes, it matches our external domain name). It contains A records for itself, the OD Server, and others.
  Reverse lookup works fine throughout the lan.
  All DNS Servers’ Forwarders are our router.
  I did a test where I turned off all these internal DNS servers (yes, there’s more) and pointed all the servers to the router. It seemed fine at first, I could issue HOST commands to and from every server to every other one and resolve both names and addresses.  The router seemed to be doing fine.
  After a day or so (I assume after the TTL elapsed), people started getting permissions errors on the servers, so I turned it all back on.
  This is with 10.6.8 Servers (one is running 10.9 but it doesn't seem to have DNS running).
  So here’s my questions:
  Why would my OD Server’s DNS Service’s primary zone be “od.mydomain.com” and not just “mydomain.com”?
  Does it make sense (or even matter) to have these DNS entries ending in mydomain.com when that’s our website’s address? (We host our own site and email server, btw.)
  Why would OD not work after all these DNS Servers were turned off, when HOST command shows it can get to every other machine and they can get to it?  What else, besides the A record and reverse lookup, could be included in the full-blown DNS servers that wouldn’t be in the Sophos bare-bones one, but still allow reverse lookups to function?  What else does OD want from DNS??
  Wouldn’t it be better, even if this all was necessary, to set up a single internal DNS Server (ok, maybe plus a backup)?  Why would this service be running, with a variety of A records, on almost every server we have?
  Is there a site that can explain DNS, and actually define every acronym, abbreviation, etc it uses?  Every time I try to learn something I go down a wiki rabbit hole.
  Thanks!
  Jeff

  OK, the answer to this seemed to be to not rely on Sophos' "Static Entries" DNS functionality.  Even though it allows "HOST" commands to work for both reverse and forward lookups, OD and/or Kerberos needs more.  Once I made a zone on our OD Server that listed itself, our replica server, AND our email server (which uses Kerberos), and made what I think is now a proper secondary DNS server on our replica server, and pointed the OD server's DNS to itself, the replica to itself, and kept the email server using the Sophos for DNS, it worked.

• DNS conflict when running Open Directory Master inside of WIndows network..

  We installed Snow Leopard Server as an Open Directory Master in a building that already has a Windows Primary Domain Controller. The intent was to create a Mac network inside of the building with their own services. The Mac server does not pull LDAP/Kerberos/etc. from the Windows server and the Mac clients do not use the WIndows server for any other services.
  Everything (Final Cut Server, Open Directory, DNS, File Sharing) worked fine for a day. The next day, all of the windows machines were getting DNS conflict messages on their screens every 15 minutes. After shutting down the Snow Leopard Server, the Windows machines are back to normal.
  Ideas?
  Thanks!

  Hi
  Is it possible the Window's Administrators have added your server as a DNS Server in their DHCP Service for some reason unknown to you? Or possibly you've chosen an IP address that is listed as a DNS Server in their DHCP Service?
  If you launch terminal from a client mac and issue the host command for the server's IP address what's the result?
  +"we understood the Mac server has to be hosting DNS in order for Open Directory to function"+
  DNS does not have to be running on the Server itself for any of the Services in OSX Server to function. Just as long as it can resolve itself on both pointers is all that matters. If it was the only server on the network then yes configure the Service. If there already is an existing and mature DNS Service then it makes sense to use it.
  Tony

• How to setup multiple DNS zones in a single domain

  We have a small charter school running a Mac Open Directory network on a single subnet with a single registered FQDN for its internal domain. We are about to open a second school within a wing of the same building which will also be on a Mac Open Directory domain, but since it is legally a separate school (just administered by the same staff) it needs to be on it's own subnet and have its own LDAP directory.
  Is there a way to program DNS between the two schools so that DNS traffic can be routed between them without breaking the DNS and Open Directory/Kerberos realms of either? Both schools will share the same internal domain name. Is it as simple as creating two primary DNS zones on each other's nameservers, both using the same domain name but each having its own designated nameserver for that particular subnet?
  For instance, the existing school is running DNS on server1.example.com within the 10.39.54.0/23 subnet. The second school will be running DNS on server2.example.com within the 10.39.56.0/23 subnet. Would I then simply create two primary zones within each subnet, one referring to its own with itself as the nameserver and one within the neighbor subnet referencing that subnet's server as the designated nameserver.
  Or would I do this with each schools DNS servers searching through its own subnet as its primary zone with the neighbor zone being added as a secondary zone?
  Thanks!

  You have two options.
  Use a DNS server with a single internal domain example.com and have (as you said) server1.example.com
  If the two subnets are on separate networks either via a router or VLAN, then you could run a separate DHCP server on each and advertise the appropriate DNS server for that subnet.
  Otherwise you could have a single DNS server and either single DHCP advertising that single DNS server and have both server1 and server2 in the single DNS zone, or a DHCP server in each subnet but still pointing to the same single DNS server.
  Each of these two servers would be an Open Directory Master
  Note: in DNS terminology a DNS 'zone' is the same thing as a Domain Name.
  The second option which if you want to keep the two 'schools' completely separate is to do the following
  Use a DNS server per subnet
  Use a DHCP server per subnet
  Use a different domain name per school e.g. school1.com and school2.com
  Create a server record on each as appropriate e.g. server1.school1.com and server2.school2.com
  You cannot have a single DNS server have two identical zones e.g. example.com and example.com as they are of course the same thing.
  If the two schools will merge officially at some point it might be better to use the same domain name, if they are going to fully split then definiately it is going to be better to use two different domain names.

• LDAP + DNS + noob=Massive Pain (LONG)

  I am running 10.4.11 as a home server/gateway. There are two NIC's. The first is connected directly to the modem via ethernet, the second goes to a switch for the LAN. When I set up this server I started small with AFP,DHCP, DNS, Firewall, and Web. I pointed my domain to my ip. Set up the DNS, for this example let's call the domain I am hosting homepages.com. I called the server ns1.homepages.com. I used AFP to mount the directory for the apache root and started to drop my html/php in there. Then i started up mySQL installed phpMyAdmin. Things worked. Upgraded to php5. This was frustrating but in the end, all went well. Then I added a second domain in the DNS. I selected the IP of the second NIC for this second domain because I wanted to name the computers here in my home office as i have a couple of part time employees and thought that names would be easier than IP addresses. I called the server server.home.art, with home.art being the domain. Other computers obviously had names like scanner.home.art or filemaker.home.art or entertainment.home.art, you get the idea. Now it has become rather cumbersome to manage the part time folks all on separate machines, all with local users and all with permission issues to deal with. So I started to ask around and I was told that the Open Directory service could help out. So I promoted the server to Master and immediately ran into problems. You can see a thread over at afp548 here:
  http://www.afp548.com/forum/viewtopic.php?showtopic=19082
  I guess my biggest problem here is my internal vs. external domain. When I originally promoted this to Master the Kerbos Realm and Search base were crazy, they were being pulled from the IN.ARPA from my ISP. That didn't work because the client machines couldn't resolve that, they were looking for the internal domain, home.art. It took me quite awhile to figure that out. So after many, many, many promotions/demotions of the Open Directory and many uses of changeip I am still getting errors. Either when I try and promote the server to Master or from clients. The clients range from network users being shook off with no errors to the error that started the above thread, "home directory is on an AFP volume and cannot be mounted."
  I was finally able to get my hostnames to agree with the external name, the ns1.homepages.com but then I have massive problems with the clients on the LAN connecting to the server. I REALLY want to use the Kerberos Realm: HOME.ART but it really doesn't like that. When I promote it that way it hangs when, gives me errors both in the GUI and in the logs. If I use the NS1.HOMEPAGES.COM, everything starts smoothly but then the clients have problems.
  Is there anyway to get the DNS for the internal to the Keberos Realm instead of the external? I have tried to demote the server to stand alone, save and restart. Then use "sudo changeip - myip myip ns1.homepages.com server.home.art". And then restart the machine. Premote it Master but the Keberos Realm still shows as NS1.HOMEPAGES.COM. The seach base changes to dc=server, dc=home, dc=art, But when I input a Password and "Create" the master I get an "service encountered an error" and "settings is not available, this is a one time alert" and then multiple errors in the logs, namely slapconfig:
  Creating Kerberos directory
  Creating KDC Config File
  Creating Admin ACL File
  Creating Kerberos Master Key
  Creating Kerberos Database
  Creating Kerberos Admin user
  WARNING: no policy specified for [email protected]; defaulting to no policy
  Adding kerberos auth authority to admin user
  Finally, when I demote the server, changeip the name back to the ns1 name and promote the server back AND still can't login into accounts I get errors like this in kadmin:
  Jan 13 20:36:48 ns1.homepages.com kadmin.local[1575](info): No dictionary file specified, continuing without one.
  This error hits the log in three every 4 minutes.
  Or in LDAP Log I see errors like this:
  Jan 13 20:32:23 ns1 slapd[580]: Entry (uid=hollbo,cn=users,dc=ns1,dc=homepages,dc=com): object class 'posixAccount' requires attribute 'homeDirectory'\n
  Jan 13 20:32:23 ns1 slapd[580]: entry failed schema check: object class 'posixAccount' requires attribute 'homeDirectory'\n
  Jan 13 20:36:50 ns1 slapd[580]: SASL [conn=112] Failure: no user in database\n
  Jan 13 20:37:01 ns1 slapd[580]: SASL [conn=126] Failure: no user in database\n
  Jan 13 20:39:24 ns1 slapd[580]: SASL [conn=139] Failure: no user in database\n
  Jan 13 20:41:14 ns1 slapd[580]: SASL [conn=160] Failure: no user in database\n
  Jan 13 20:42:46 ns1 slapd[580]: SASL [conn=172] Failure: no user in database\n
  Jan 13 21:11:38 ns1 slapd[580]: slapd shutdown: waiting for 0 threads to terminate\n
  Jan 13 21:11:38 ns1 slapd[580]: bdb(dc=ns1,dc=homepages,dc=com): Locker still has locks\n
  Jan 13 21:11:38 ns1 slapd[580]: bdblocker_idfree: 16 err Invalid argument(22)\n
  Jan 13 21:11:38 ns1 slapd[580]: bdb(dc=ns1,dc=homepages,dc=com): apple-category.bdb: unable to flush: No such file or directory\n
  I'm really confused and have recieved so many errors that I am beginning to wonder if I have fiddled so much that I have created serious problems with Kerberos. I don't know whether that is possible or not but I could really use some advice on this.
  thanks

  Ok Let me try this again. (My butterfingers have caused more problems with my server configuration than I can tell you).
  *The nightmare that can be Open Directory:*
  It is often best to just start over with a clean install of the server software when your OD keeps failing as you describe. This is no fun, and is time consuming, but it is more likely to give you success. (Hopefully you are paid by the hour and your boss is supportive). If you choose this route, make sure you take the following steps. During the "setup assistant" process, make the server a stand-alone server at first and *do not turn on any other services*.
  Once your server is up and running, set up your DNS configuration. DNS *absolutely must be configured correctly and queries for your OD by domain name should resolve to the machine.* If DNS isn't working, OD won't work. And you *cannot use the bonjour zeroconf/mDNS* with OD.
  The DNS zones must
  *allow recursion*
  *should not allow zone transfers*.
  Your DNS servers field in the network configuration system preference pane should point to the internal LAN DNS server IP address (If you are using DNS on the same machine as your OD, then point it to that machine's private IP address).
  Start DNS
  Restart the computer.
  With OS X 10.4 and higher, setting up your zones is much easier and less prone to error than earlier versions, but verification is important.
  Once you are rebooted, there are a number of tools you can use to test the DNS configuration.
  Check your zone files by opening terminal and typing (in your case) *sudo named-checkzone art /var/named/art.zone* or *sudo named-checkzone home.art /var/named/home.art.zone* . As you can see, the zone file is named whatever you called your zone name with the ".zone" on the end. You next need to verify that the configuration file is correct for dns. Do this by typing *sudo named-checkconf /etc/named.conf*
  Use Network Utility to perform a lookup on your server's domain name and a reverse lookup by typing in your server's IP address. If both come back without errors and look similar to a lookup of a public nameserver that you know is functional.
  Do a search here or on the web in general regarding the errors you may receive if any from these commands. Mac OS X server 10.4 uses BIND9, so the number of sites with tutorials and information about errors and configuration issues are vast.
  It is valuable to know that the location of the zone files and configuration files vary somewhat depending on the version of Linux/Unix. For instance, Debian installs put the entire batch of files in /etc/bind and separates the named.conf file from the local configuration (named.conf.local) and options named.conf.options and splits up the zone files for the localhost into groupings based on IP address octets) while Mac OS X puts the configuration files in /etc/named.conf, /etc/rndc.key, and puts the zone files in /var/named/ Regardless, the content of these files completely compatible.)
  Then you can convert the server to an open directory master. If the dialog shows the correct info for your server (DC=HOME,DC=ART) you should be good to go.
  To reiterate: if DNS is configured correctly, OD should also work properly, especially if you start with a virgin server.
  *Throwing Caution to the Wind*
  Reinstalling everything from scratch is going to result in the most durable solution. With that in mind, why not take some time to learn a bit about how the system is laid out by really mucking it up. If you are methodical enough, you may actually solve your problem in the process.
  OD stores files in certain locations in the /private/var/db/openldap and /private/etc/openldap folders. In /private/etc/openldap there are loose files in the root and a folder called schemas. The latter folder should remain unchanged from first install. It just contains the descriptors for various configurations. The files "ldap.conf and ldap.conf.default" should be relatively untouched. The slapd.conf and slapd-related files are what contain the info you need. Specifically the slapd_macosxserver.conf file. This is the only file that should contain information specific to your Open Directory configuration.
  The OD database is stored in /var/db/openldap
  Your kerberos information is stored in a number of files including /etc/krb5.keytab and /var/krb5kdc. Also information is stored in the kerberos.mit files in your /Library/Preferences folder.
  I won't tell you what to do with these files. But if you demote your server to standalone, reboot in single user mode (hold the command-s at startup, and follow the instructions to /sbin/fsck -fy and /sbin/mount -rw / at the command prompt) and move (mv) any of the files to backup folders ore rename folders so the software does not find them (except /etc/openldap/ldap.conf, ldap.conf.default, and schemas). You use the mv command to do this. mv allows you to move and rename files. It does not create new folders, so you need to do that ahead of time using mkdir if that is your plan of attack. The format of the command is fairly straightforward: if you wanted to rename the folder /var/db/openldap to a backup name you would type *mv /var/db/openldap /var/db/openldap.backup* . To move all the files within a given folder without moving the enclosing folder itself (say /tmp/501) to a new one (say /Users/administrator/Desktop/tmpBackup), you would type *mkdir /Users/administrator/Desktop/tmpBackup; mv /tmp/501/* /Users/administrator/Desktop/tmpBackup* The semi-colon tells the shell that you are starting a new command.
  Beyond this, you will have to just experiment. If anything, the half-hour you spend mucking up your system will be an invaluable learning experience even if you end up having to reinstall the OS and Server software from scratch).
  I hope this is helpful for you.

• Intermittend DNS resolution, timeserver, group policy updates errors in client logs in Win 2012 R2 single server environement

  We recently switched hardware and server software Win SBS 2008 to 2012R2 for a small network roughly 40 clients (Win7 Pro / Win 8.1 Pro) about 16 running concurrently at a given time and one network printer with the printer queue residing on the DC as well.
  I read that a single server environment might not be ideal in particular no fail-over but that is an accepted risk in this particular network here.
  Errors:
  Error 1043: Timeout during name resolution request
  Error 1129: Group policy updates could not be processed due to DC not available
  Error 5719: Could not establish secure connection to DC, DC not available
  Occasionally but disappears after a while
  Error 134: As a result of a DNS resolution timeout could not reach time server
  Symptoms
  On Win 7 Clients
  Network shares added through Group Policy will not show sometimes
  Network shares disconnect (red X) and when accessed return access authorization error after one or two clicks on the share finally grant access again
  When the issue with accessing network shares occurs, it usually also affects Internet access meaning a 'server not responding' error appears in the browser windows when trying to open just any web page
  nslookup during the incident returns cannot resolve error
  ipconfig on client shows correct default router (VDSL Router) and DHCP / DNS Domain Controller
  Also, the Win system log shows the above errors during these incidents, however, the nuimber of incidents vary from 20-30
  On Win 8.1 Clients
  Same as above with the slight variation for network shares apparently due to Server 2012 and Win 8.1 clients managing drive shares differently. However, network share refresh does not work with this clients. In most cases only a gpupdate /force returns
  drive shares but usually only for the active session. After logoff / logon the shares are gone again.
  The issue does appear to be load related since it occurs even if there are only one or two workstations active.
  Server Configuration
  Dell R320 PowerEdge 16GB / 4TB 7200RPM RAID10 / GBitEthernet
  Zyxel 1910-48 Port Switch
  VDSL 50Mbps Down / 20Mbps Up
  Since the DC is the only local DNS and there are no plans to add another one or move DNS to another server, the DNS server is configured with this own address as preferred DNS with three DNS forwarders 1) VDSL Router 2) ISP DNS1 3) ISP DNS2
  Currently only one Network card is active for problem determination reasons.
  There appears to be no consensus concerning IPV6 enabled or disabled, I tried both with no apparent effect
  I have set all network cards server and client to Full Duplex and the same speed, also disabled Offload functions within the adapter settings. Some but no consistent improvements.
  Best Practice Analyzer Results
  DNS server scavening not enabled
  Root hint server XYZ must respond to NS queries for the root zone
  More than one forwarding server should be configured (although 3 are configured)
  NIC1 should be configured to use both a preferred and alternate DNS (there is only one DNS in this network)
  I have found some instructions to apply changes to the clients through a host file but I would rather like to understand whether this DNS response time issue can be resolved on the server for example timing setting perhaps. Currently the DNS forwarders are
  set to 3 second.
  Since a few people have reported issues with DNS but most are working with multi DNS, DC environment I could not really apply any suggestions made there. perhaps there is anyone like me who is running a single server who has overcome or experience the same
  issues. Any help would be appreciated

  Hello Milos thx for your reply.. my comments below
  1. What does it "switched"? You may mean migration or new installation. We do not know...
  >> Switched is probably the incorrect term, replaced would be the appropriate wording. Before, there was a HP Proliant Server with SBS 2008 with distinct domain and now there is a Dell Server with MS 2012 R2 with a distinct domain. Client were
  removed from one (SBS) domain and added to the new Server 2012 domain. Other components did not change for example same Network Switch or VDSL Router, Workstations and Printer
  2. Two DCs are better alternative. Or backup very frequently. There are two groups of administrators. Those who have lost DC and those who will experience this disaster in near future.
  >> Correct, and I am aware of that
  3. NIC settings in W 7 and W 8.1, namely DNS points to DC (...and NOTHING else. No public IP or that of router DNS.))
  >> Correct, this is how it's currently implemented. Clients point to DC for DHCP and DNS and Default Router, no public IP or DNS. The only references to ISP DNS exist on the VDSL Router itself as provided through ISP when establishing VDSL
  Link and the list of Forwarders in the DNS Server configuration. However, I have just recently added the ISPs DNS as forwarders for test purposes and will probably learn tomorrow morning whether this had any effect for better or worse.
  4. Do nslookup to RR on clients. RR branch is saying client basic info on LDAP parameters of AD.
  >> Will post as soon as available
  5. I do not use forwarders and the system works
  >> Ok, does this mean it works for you in a similar or the same infrastructure setup or are you saying it is not required at all and I can remove any forwarder in a scenario like mine? If not required can you explain a bit more why it is not
  required apart from that it does work for you that way?
  6. DHCP should sit on DC (DHCP on router is disabled)
  >> Correct, no other device is configured to provide DHCP service other than DC and DHCP is currently running on DC
  7. NIC settings in DC points to itself (loopback address 127.0.0.1)
  >> Are you sure this is still correct and does apply to Server 2012? I am reading articles stating that it should be the servers own IP but local loop or should this be added as alternate DNS in addition to the servers own IP?
  8. Use IPCONFIG /FLUSHDNS whenever you change DNS settings.
  >> OK, that was not done every time I changed some settings but I can do that next week. Reboot alone would not suffice, correct?
  9. Test your system with dcdiag.
  >> See result below
  10. Share your findings.
  Regards
  Milos
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
    Home Server = GSERVER2
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Connectivity
           ......................... GSERVER2 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Advertising
           ......................... GSERVER2 passed test Advertising
        Starting test: FrsEvent
           ......................... GSERVER2 passed test FrsEvent
        Starting test: DFSREvent
           ......................... GSERVER2 passed test DFSREvent
        Starting test: SysVolCheck
           ......................... GSERVER2 passed test SysVolCheck
        Starting test: KccEvent
           ......................... GSERVER2 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... GSERVER2 passed test
           KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... GSERVER2 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... GSERVER2 passed test NCSecDesc
        Starting test: NetLogons
           ......................... GSERVER2 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... GSERVER2 passed test
           ObjectsReplicated
        Starting test: Replications
           ......................... GSERVER2 passed test Replications
        Starting test: RidManager
           ......................... GSERVER2 passed test RidManager
        Starting test: Services
           ......................... GSERVER2 passed test Services
        Starting test: SystemLog
           ......................... GSERVER2 passed test SystemLog
        Starting test: VerifyReferences
           ......................... GSERVER2 passed test VerifyReferences  
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : GS2
        Starting test: CheckSDRefDom
           ......................... GS2 passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... GS2 passed test CrossRefValidation  
     Running enterprise tests on : GS2.intra
        Starting test: LocatorCheck
           ......................... GS2.intra passed test LocatorCheck
        Starting test: Intersite
           ......................... GS2.intra passed test Intersite
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  *** gserver2.g2.intra can't find g2: Non-existent domain
  > gserver2
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  g2.intra
          primary name server = gserver2.g2.intra
          responsible mail addr = hostmaster.g2.intra
          serial  = 443
          refresh = 900 (15 mins)
          retry   = 600 (10 mins)
          expire  = 86400 (1 day)
          default TTL = 3600 (1 hour)
  > wikipedia.org
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  Non-authoritative answer:
  wikipedia.org   MX preference = 10, mail exchanger = polonium.wikimedia.org
  wikipedia.org   MX preference = 50, mail exchanger = lead.wikimedia.org
  polonium.wikimedia.org  internet address = 208.80.154.90
  polonium.wikimedia.org  AAAA IPv6 address = 2620:0:861:3:208:80:154:90
  lead.wikimedia.org      internet address = 208.80.154.89
  lead.wikimedia.org      AAAA IPv6 address = 2620:0:861:3:208:80:154:89
  Final benchmark results, sorted by nameserver performance:
   (average cached name retrieval speed, fastest to slowest)
    192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,003 | 0,001 | 100,0 |
    + Uncached Name | 0,027 | 0,076 | 0,298 | 0,069 | 100,0 |
    + DotCom Lookup | 0,041 | 0,048 | 0,079 | 0,009 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,025 | 0,000 | 100,0 |
    - Uncached Name | 0,025 | 0,071 | 0,274 | 0,065 | 100,0 |
    - DotCom Lookup | 0,039 | 0,040 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,026 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,072 | 0,299 | 0,066 | 100,0 |
    - DotCom Lookup | 0,039 | 0,042 | 0,049 | 0,003 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,040 | 0,079 | 0,011 | 100,0 |
    - Uncached Name | 0,042 | 0,113 | 0,482 | 0,097 | 100,0 |
    - DotCom Lookup | 0,049 | 0,079 | 0,192 | 0,039 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:33:12 to 14:33:29, for 00:17,648
  15: 40
  192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,004 | 0,000 | 100,0 |
    + Uncached Name | 0,025 | 0,074 | 0,266 | 0,063 | 100,0 |
    + DotCom Lookup | 0,042 | 0,048 | 0,075 | 0,007 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,024 | 0,073 | 0,289 | 0,067 | 100,0 |
    - DotCom Lookup | 0,039 | 0,041 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,073 | 0,286 | 0,065 | 100,0 |
    - DotCom Lookup | 0,041 | 0,066 | 0,180 | 0,037 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,038 | 0,077 | 0,009 | 100,0 |
    - Uncached Name | 0,042 | 0,105 | 0,398 | 0,091 | 100,0 |
    - DotCom Lookup | 0,049 | 0,066 | 0,141 | 0,025 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:39:59 to 14:40:12, for 00:13,363

• Problems with local DNS after 10.6.8

  Have a Snow Leopard server that's been running quite well. After (I think) the 10.6.8 update, I've encountered a really weird error regarding dns - the internal DNS doesn't recognize the top level DNS domain (companyname.net), so internally we can't see the site. Externally though, it's fine. Additionally, after about an hour or so, the local DNS entries seem to just stop working and it *seems* to crash, even though Open Directory still works fine, as do the external mail ips and website.
  My DNS/web aliases have been working great for years now and are set up as the following.
  10.6.8 Server: macpro.companyname.net
  DNS zone: companyname.net
  companyname.net alias to macpro.companyname.net.
  www alias to macpro.companyname.net.
  Web Admin is set up as the following:
  Hostname: companyname.net
  Web server aliases: companyname.net, www.companyname.net
  Everything had been working fine until the 10.6.8 update. The website would redirect both companyname.net and www.companyname.net to companyname.net. Users on the local LAN see the local IP, externally see the external public IP.
  But now, it's as if the DNS record for companyname.net LOCALLY doesn't exist. I can't ping it at all from local machines. I'm not sure what the deal is, and I also can't figure out where the look in the logs for assistance. I see entries that say so there's some sort of rebooting going on, but I'm again, not sure why. Any help would be great appreciated! I've restarted, done tons of cache reloads, deleted and readded entries - but as of now, still nothing.
  27-Jul-2011 13:56:44.265 received control channel command 'freeze'
  27-Jul-2011 13:56:44.282 freezing all zones: success
  27-Jul-2011 13:56:44.360 received control channel command 'reload'
  27-Jul-2011 13:56:44.360 loading configuration from '/private/etc/named.conf'
  27-Jul-2011 13:56:44.360 using default UDP/IPv4 port range: [49152, 65535]
  27-Jul-2011 13:56:44.360 using default UDP/IPv6 port range: [49152, 65535]
  27-Jul-2011 13:56:44.390 reloading configuration succeeded
  27-Jul-2011 13:56:44.390 reloading zones succeeded
  27-Jul-2011 13:56:44.390 zone 1.0.10.in-addr.arpa/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2011072701
  27-Jul-2011 13:56:44.390 zone companyname.net/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2011072710
  27-Jul-2011 13:56:44.394 received control channel command 'thaw'
  27-Jul-2011 13:56:44.395 thawing all zones: success
  27-Jul-2011 13:56:44.395 zone 1.0.10.in-addr.arpa/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2011072701
  27-Jul-2011 13:56:44.395 zone companyname.net/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2011072710
  27-Jul-2011 14:10:30.754 received SIGHUP signal to reload zones
  27-Jul-2011 14:10:30.754 loading configuration from '/private/etc/named.conf'
  27-Jul-2011 14:10:30.755 using default UDP/IPv4 port range: [49152, 65535]
  27-Jul-2011 14:10:30.755 using default UDP/IPv6 port range: [49152, 65535]
  27-Jul-2011 14:10:30.756 no longer listening on 192.168.233.1#53
  27-Jul-2011 14:10:30.885 reloading configuration succeeded
  27-Jul-2011 14:10:30.885 reloading zones succeeded

  Here's the zone file.
  $TTL 10800
  example.net. IN SOA macpro.example.net. canderson.example.net (
             2011072714          ;Serial
             20864                    ;Refresh
             3600                    ;Retry
             14976                    ;Expire
             345600                    ;Negative caching TTL
  example.net. IN  NS macpro.example.net.
  macpro IN  A 10.0.1.2
  ichat IN  CNAME macpro.example.net.
  www IN  CNAME macpro.example.net.
  wiki IN  CNAME macpro.example.net.
  mail IN  CNAME macpro.example.net.
  ftp IN  CNAME macpro.example.net.
  example.net IN  CNAME macpro.example.net.
  I have been using mostly dig, nslookup, and ping to diagnose the problem. nslookup returns identically on the server and all clients, saying:
  nslookup example.net
  Server:                    10.0.1.2
  Address:          10.0.1.2#53
  *** Can't find example.net: No answer
  "dig" also returns the same on the server and all clients, but this time actually finds something.
  dig example.net
  ; <<>> DiG 9.6.0-APPLE-P2 <<>> example.net
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39203
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;example.net. IN A
  ;; AUTHORITY SECTION:
  example.net. 10800 IN SOA macpro.example.net. canderson.example.net.example.net. 2011072714 20864 3600 14976 345600
  ;; Query time: 0 msec
  ;; SERVER: 10.0.1.2#53(10.0.1.2)
  ;; WHEN: Wed Jul 27 16:24:55 2011
  ;; MSG SIZE  rcvd: 104
  Lastly, I've been pinging the heck out of example.net. I've found that the server itself and Snow Leopard clients ping the correct internal address, but Lion clients (and iOS devices, oddly enough) return that it can't find the host.

• DNS Configured-Best Practice on Snow Leopard Server?

  How many of you configure and run DNS on your Snow Leopard server as a best practice, even if that server is not the primary DNS server on the network, and you are not using Open Directory? Is configuring DNS a best practice if your server has a FQDN name? Does it run better?
  I had an Apple engineer once tell me (this is back in the Tiger Server days) that the servers just run better when DNS is configured correctly, even if all you are doing is file sharing. Is there some truth to that?
  I'd like to hear from you either way, whether you're an advocate for configuring DNS in such an environment, or if you're not.
  Thanks.

  Ok, local DNS services (unicast DNS) are typically straightforward to set up, very useful to have, and can be necessary for various modern network services, so I'm unsure why this is even particularly an open question.  Which leads me to wonder what other factors might be under consideration here; of what I'm missing.
  The Bonjour mDNS stuff is certainly very nice, too.  But not everything around supports Bonjour, unfortunately.
  As for being authoritative, the self-hosted out-of-the-box DNS server is authoritative for its own zone.  That's how DNS works for this stuff.
  And as for querying other DNS servers from that local DNS server (or, if you decide to reconfigure it and deploy and start using DNS services on your LAN), then that's how DNS servers work.
  And yes, the caching of DNS responses both within the DNS clients and within the local DNS server is typical.  This also means that there is need no references to ISP or other DNS servers on your LAN for frequent translations; no other caching servers and no other forwarding servers are required.