Musings of an Apple Systems Administrator
A blog about the day to day tasks of a systems administrator. A how to guide and user tell all about OSX Server systems issues and challenges.

Spotlight

Blogroll
Recent Comments
  • Brian: Another trick to avoid needing root.. if you are having trouble editing “locked” files, instead of...
  • Brian: I believe that one of your steps is backwards. At least it worked when i did the opposite of what you said....
  • max: I tried this walkthrough but must have gone wrong somewhere, how do I return to the defaults so I can try again,...
  • daniel: thank you!
  • Lewis: Thanks for the reviews. I’ve been holding off on upgrading to Lion Server because we have to deal with...
Archives
Categories
Sponsors
10.6.2 Split Horizon DNS
0

The DNS interface in Server Admin.app is not suitable for doing a split-horizon DNS configuration. It simply doesn’t expose all of the flexibility of bind that you need to pull off such a configuration.

If you poke around the bind config files on your OS X Server, you’ll be able to see how apple has set them up so that you can edit them directly without confusing the GUI. /var/named contains zone files that you may edit, and they include corresponding files in /var/named/zones which you should not edit. They’ve done something similar for /etc/named.conf and the files in /etc/dns/.

Having said that, I recommend not doing both internal and external resolving for split-horizon DNS on your server, mainly because:

  1. It’s kind of complicated, and you lose any convenience you had when you were able to use the GUI exclusively
  2. You have NAT, which makes it even more complicated
  3. There are solutions available from third parties that are better-performing, cheap/free, and more robust

In my organization, we use DNS in Mac OS X Server extensively for the internal part of a split-horizon setup. We use the “Advanced DNS” part of a network solutions account for the external part. It comes free with the domains we’ve purchased, and has redundancy and speed far greater than what I could justify for hosting a handful or externally-resolving names myself.

You need to reconfigure BIND to use “views” with two different versions of your zone file, such that access from inside your network gives the 192.168.1/24 (internal) addresses, but requests forwarded from outside (via your 2-Wire router) give out your static public IP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

acl internal {
    127.0.0.0/8;
    192.168.1.0/24;
};
 
view "internal" {
    match-clients { internal; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/internal/db.mydomain.com";
     };
};
 
view "external" {
    match-clients { any; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/external/db.mydomain.com";
    };
};

For more information check this out it is a How To with more detailed instructions for Split Horizon DNS configuration.

| More

Do you need system administration assistance? If you like what you are reading please consider subscribing to the RSS feed for comments on this post. If you have feedback you can leave a response, or trackback from your own site.
leave a comment
leave a comment
Leave a comment

1 + 7
You may add code snippets to your comments by using this format
<pre lang="php" line="1"></pre> replace "php" with your codebase .

* A Required Field