DNS problem in OSX Server 10.6

[charlieatlantic]

Hello there,

I wonder if someone can help me out. I'm slightly tearing my hair out.

I seem not to be able to get DNS to work correctly on OSX Server 10.6 (and I had the exact same problem on 10.5 within the same network). I am running Server 10.6 on an XServe. Both DNS and DHCP are enabled. The XServe has a static IP address of 192.168.0.2. The network's Netgear router, with internet connection, has a static IP of 192.168.0.1. The rest of the IP addresses are dished out by DHCP on the XServe. This works correctly; any client machine in the network picks up its IP address from the DHCP server, and all the network information is correctly populated. Client machines thus have their IP address, default gateway, router and DNS information correctly provided by the DHCP server on the XServe.

From each client machine it looks like this:

IP: 192.168.0.x
Default Gateway: 255.255.255.0
DNS: 192.168.0.2
Router: 192.168.0.1

The XServer is the DNS server at 192.168.0.2. As I say, each client machine is aware of this. There are no other DNS servers on the network. The information configured in the DNS settings on the XServe are as follows [obviously I've replaced the real names for security reasons]:

I have a Primary Zone - charlieatlantic.lan

The XServe is called 'server'. I have thus set a DNS record for 'server' within that Primary Zone so that it points to 192.168.0.2

This automatically set up the reverse DNS, so that:

server.charlieatlantic.lan points to 192.168.0.2

If I open terminal, and type 'ping server.charlieatlantic.com', it resolves correctly to 192.168.0.2 and the pings return as they should.

Then I have set up the DNS forwarders with the two DNS server addresses which were provided by the ISP. (btw I know these work correctly, as if I enter either of them (rather than the server at 192.168.0.2) as the DNS server address on any client machine they will resolve, for example, http://www.google.com, and I have internet access.)

From what I can gather, and from all the setup guides I've looked at, I'm not doing anything wrong. However, I have two problems:

1) Unreliability: if I ping server.charlieatlantic.lan either on the server, or on any client machine connected to the same network (and thus taking its information from the DHCP), I only intermittently have it resolve to 192.168.0.2. Sometimes it works, sometimes it does not.

2) No internet domain name will resolve from either the XServe or any client machine. Both have their DNS servers set to the XServe 192.168.0.2

It seems that the DNS forwarder addresses are not working correctly in DNS. I really want the XServe to be the sole DNS provider, and for the external DNS servers I have listed in the forwarder box to deal with anything for which the XServe is not authoritative. In other words, I want each client machine to have only 192.168.0.2 as its DNS server and to send, say, google.com to that machine which then sends that request out to the external DNS servers provided by my ISP.

I know that I can tell DHCP to dish out more than one DNS server, and perhaps have all three listed. This, though, in my experience is unreliable and messy.

Finally, not sure if this is relavent, but the hardware configuration is that each device is connected to a switch. So the router, XServe, and each client machine are connected in directly to a switch.

Any ideas where I should start troubleshooting?

Thanks!

charlie

 

[DHagan4755]

Have you typed

nslookup charlieatlantic.lan

or

nslookup 192.168.0.2

You can also try:

dig -x 192.168.0.2

or dig charlieatlantic.lan

You should see NOERROR on both of those commands. If you see NXDOMAIN then the DNS is misconfigured. By the way, ping will only let your computer know that there's a device on the network responding to that IP address, not that its forward and reverse lookup is working correctly.

 

[charlieatlantic]

Hi there,

Thank you for the response. Here is what I found when I followed your instructions. I'd appreciate some help deciphering it! (Incidentally, I can access the server from a client machine using the server.charlieatlantic.lan address in the 'Server Admin' tool. Not entirely sure if that is relevant, but thought I'd add it in.)

Results of what you kindly suggested.

nslookup charlieatlantic.lan

server:~ root# server:~ root# nslookup charlieatlantic.lan
-sh: server:~: command not found
server:~ root# ;; Got recursion not available from 192.168.0.2, trying next server
-sh: syntax error near unexpected token `;;'
server:~ root# ;; Got recursion not available from 192.168.0.2, trying next server
-sh: syntax error near unexpected token `;;'
server:~ root# Server:
.Trash/ .sh_history Documents/ Library/
.forward Desktop/ Downloads/
server:~ root# Server:192.168.0.1
-sh: Server:192.168.0.1: command not found
server:~ root# Address:192.168.0.1#53
-sh: Address:192.168.0.1#53: command not found
server:~ root#
server:~ root# ** server can't find charlieatlantic.lan: NXDOMAIN

nslookup 192.168.0.2

server:~ root# nslookup 192.168.0.2
;; Got recursion not available from 192.168.0.2, trying next server
;; Got recursion not available from 192.168.0.2, trying next server
Server: 192.168.0.1
Address: 192.168.0.1#53

** server can't find 2.0.168.192.in-addr.arpa.: NXDOMAIN

dig -x 192.168.0.2

server:~ root# dig -x 192.168.0.2

; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 192.168.0.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49785
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;2.0.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
2.0.168.192.in-addr.arpa. 10800 IN PTR server.charlieatlantic.lan.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 10800 IN NS server.local.

;; Query time: 0 msec
;; SERVER: 192.168.0.2#53(192.168.0.2)
;; WHEN: Sun Oct 4 17:33:51 2009
;; MSG SIZE rcvd: 105

dig charlieatlantic.lan

server:~ root# dig charlieatlantic.lan

; <<>> DiG 9.6.0-APPLE-P2 <<>> charlieatlantic.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22520
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;charlieatlantic.lan. IN A

;; AUTHORITY SECTION:
charlieatlantic.lan. 3600 IN SOA server.charlieatlantic.lan. admin.charlieatlantic.lan. 2009100312 86400 3600 604800 3600

;; Query time: 0 msec
;; SERVER: 192.168.0.2#53(192.168.0.2)
;; WHEN: Sun Oct 4 17:34:42 2009
;; MSG SIZE rcvd: 83

My existing DNS entries

Here is what I have in DNS, verbatim. In ZONES:

Name Type Value
0.168.192.in-addr.arpa. Reverse Zone -
192.168.0.2 Reverse Mapping server.charlieatlantic.com
charlieatlantic.lan Primary Zone -
server Machine 192.168.0.2

and in SETTINGS:

Acceptive recursive queries from the following networks:
none

Forwarder IP Addresses:
158.152.1.58
158.152.1.43
192.168.0.1

-

Pings

Finally, just to show you what I get if I ping..

server:~ root# ping server.charlieatlantic.lan
PING server.charlieatlantic.lan (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=0.033 ms

server:~ root# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=0.038 ms

-

Thanks for your help!

charlie

 

[DHagan4755]

Pings are absolutely irrelevant for this problem.

Remove the forwarder IPs. Save. Make sure the only DNS entry that your clients are getting from the server's DHCP scope is that of your DNS server (192.168.0.2). Make sure your DNS server only has its own address as DNS.

 

[charlieatlantic]

Thanks for your continued help.

Until tomorrow I only have remote access. Having done this, what would my next move be? The internet connection will obviously disappear when I do this; it is only there currently because the DHCP server has the external DNS servers listed as well as 192.168.0.2, and I have configured the XServe to point to the external DNS servers in addition to itself. With the XServe as sole DNS provider for both itself and the clients, how should I grant the server and clients internet access?

Sorry to jump ahead, but I fear if I do this I'll lose the remote (internet contingent) access and thus not be able to effect the next step!

charlie

 

[charlieatlantic]

Is this issue intractable?

Do I take it that this is issue is intractable?

charlie

 

[Sweetfeld28]

OpenDNS

Free, and has walk through guides to help you set it up.

 

[belvdr]

OpenDNS

Free, and has walk through guides to help you set it up.

Which does nothing to assist in getting users to resolve using the internal DNS server(s). He might as well point at his ISP's DNS servers.

OP, your configuration is messed up:

;; QUESTION SECTION:
;2.0.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
2.0.168.192.in-addr.arpa. 10800 IN PTR server.charlieatlantic.lan.

==============================================================================
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 10800 IN NS server.local.
==============================================================================

;; QUESTION SECTION:
;charlieatlantic.lan. IN A

;; AUTHORITY SECTION:
charlieatlantic.lan. 3600 IN SOA server.charlieatlantic.lan. admin.charlieatlantic.lan. 2009100312 86400 3600 604800 3600

==============================================================================
Name Type Value
0.168.192.in-addr.arpa. Reverse Zone -
192.168.0.2 Reverse Mapping server.charlieatlantic.com
charlieatlantic.lan Primary Zone -
server Machine 192.168.0.2
==============================================================================

You have server.charlieatlantic.com as the PTR record and server.local as the nameserver. Get the records straight, so that:

For both zones (charlieatlantic.net and 0.168.192.in-addr.arpa):

SOA = server.charlieatlantic.net
NS = server.charlieatlantic.net

In zone charlieatlantic.net:
A record for server.charlieatlantic.net = 192.168.0.2

In 0.168.192.in-addr.arpa:
PTR record for 192.168.0.2 = server.charlieatlantic.net

Note, any changes require you to restart the DNS service.

You can leave the forwarders in there, and remove the ISP DNS servers from your IP configuration.

 

[jim.arrows]

Turn RECURSION on

The answer is in your test results, it's telling you that recursion is requested but not available. Where the config says "Allow recursion from the following networks" instead of "None" you need to add your LAN subnet to the config; so 192.168.0.0/24 needs to be allowed.

You can also remove the 192.168.0.1 from your list of forwarders since you said 192.168.0.2 is the only DNS server on the network. You only forward to another DNS server, not to a router -- but that's not causing your problems, it's the recursion that's the issue.