Musings of an Apple Systems Administrator
A blog about the day to day tasks of a systems administrator. A how to guide and user tell all about OSX Server systems issues and challenges.


Blogroll
Recent Comments
  • Daniel Laughland: Thanks for this! Made my life a lot easier. This beats the pants off of Squirrel Mail.
  • Philip Van Luchene: Great tip, you saved me a lot of hours. Thnx
  • Del Brown: Looks good Jon…good tips are hard to find:)
  • Jeremy Welnar: Hi Jon! Was googling around and found your post on the mail backups. I’m playing with rsync right now...
  • Rusty Duncan: Hmm, I can think of an issue with mounting the drives in target disk mode. The new drives have the same...
10.6.2 Split Horizon DNS
0

The DNS interface in Server Admin.app is not suitable for doing a split-horizon DNS configuration. It simply doesn’t expose all of the flexibility of bind that you need to pull off such a configuration.

If you poke around the bind config files on your OS X Server, you’ll be able to see how apple has set them up so that you can edit them directly without confusing the GUI. /var/named contains zone files that you may edit, and they include corresponding files in /var/named/zones which you should not edit. They’ve done something similar for /etc/named.conf and the files in /etc/dns/.

Having said that, I recommend not doing both internal and external resolving for split-horizon DNS on your server, mainly because:

  1. It’s kind of complicated, and you lose any convenience you had when you were able to use the GUI exclusively
  2. You have NAT, which makes it even more complicated
  3. There are solutions available from third parties that are better-performing, cheap/free, and more robust

In my organization, we use DNS in Mac OS X Server extensively for the internal part of a split-horizon setup. We use the “Advanced DNS” part of a network solutions account for the external part. It comes free with the domains we’ve purchased, and has redundancy and speed far greater than what I could justify for hosting a handful or externally-resolving names myself.

You need to reconfigure BIND to use “views” with two different versions of your zone file, such that access from inside your network gives the 192.168.1/24 (internal) addresses, but requests forwarded from outside (via your 2-Wire router) give out your static public IP.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

acl internal {
    127.0.0.0/8;
    192.168.1.0/24;
};
 
view "internal" {
    match-clients { internal; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/internal/db.mydomain.com";
     };
};
 
view "external" {
    match-clients { any; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/external/db.mydomain.com";
    };
};

For more information check this out it is a How To with more detailed instructions for Split Horizon DNS configuration.

| More
Do you need system administration assistance? If you like what you are reading please consider subscribing to the RSS feed for comments on this post. If you have feedback you can leave a response, or trackback from your own site.
leave a comment
leave a comment
Leave a comment

1 + 4
You may add code snippets to your comments by using this format
<pre lang="php" line="1"></pre> replace "php" with your codebase .

* A Required Field