DNS is an integral service to most modern networks. The Domain Name System, or DNS is comprised of hierarchical and decentralized Domain Name Servers, or DNS Servers. This is how we connect to computers and the websites that reside on computers by their names, rather than having to memorize the IP addresses of every single computer out there. So you get to type krypted.com and come to my website instead of typing the IP address. Or more likely, Facebook.com, but just because my website is older, I’m not mad about that. No really…

So you have a macOS Server and you need to take your DNS records out of it and move them to another solution. Luckily, DNS on any operating system is one of the easiest to manage. So let’s start by dumping all of our DNS records:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list

ACLs:
    com.apple.ServerAdmin.DNS.public
Options:
    directory: /Library/Server/named
    allow-recursion: com.apple.ServerAdmin.DNS.public 
    allow-transfer: none 
    forwarders: 8.8.8.8 4.4.4.4 
Views:
    com.apple.ServerAdmin.DNS.public
        Zones:
            test.com
                Options:
                    allow-transfer: none 
                    allow-update: none 
                Resource Recs:
                        testalias.test.com (CNAME)
                        test.com (SOA)
                        test.com (NS)
                        test.com (MX)
                        test.test.com (A)
                Resource Recs:
                    no resource recs
            0.0.127.in-addr.arpa
                Options:
                    allow-update: none 
                Resource Recs:
                        0.0.127.in-addr.arpa (SOA)
                        0.0.127.in-addr.arpa (NS)
                        1.0.0.127.in-addr.arpa (PTR)
            0.0.10.in-addr.arpa
                Options:
                    allow-transfer: none 
                    allow-update: none 
                Resource Recs:
                        1.0.0.10.in-addr.arpa (PTR)
                        0.0.10.in-addr.arpa (SOA)
                        0.0.10.in-addr.arpa (NS)

Now that we have our records, let’s think of how to use them in the new server. In the above example, we list test.com as a zone. And in that zone we have an A record for test.test.com and a CNAME for testalias.test.com that points to test.test.com – but we don’t know where test.test.com resolves to. Each of those domains has a corresponding file that starts with db. followed by the name of the domain in the /Library/Server/named directory. So we can cat the test.com file as follows:

cat /Library/Server/named/db.test.com

test.com.       10800 IN SOA test.com. admin.test.com. (
2018033001
3600
900
1209600
86400)
     10800 IN NS test.test.com.
     10800 IN MX 0 test.test.com.
test.test.com.       10800 IN A 10.0.0.1
testalias.test.com.       10800 IN CNAME test.test.com.

Now we know the IP address that each record points to and can start building them out in other systems. If you only have 5-20 records, this is pretty quick and easy. If you have hundreds, then you’re in luck, as those db files per domain are portable between hosts. Some of the settings to look out for from macOS Server include:
  • Primary Zone: The DNS “Domain”. For example, www.krypted.com would likely have a primary zone of krypted.com.
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
The settings for the domains are as follows:
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g. 10.1.1.1
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Now, let’s get to setting up the new server. We’ll open the Synology and then click on Package Center. Then we’ll click All in the sidebar and search for DNS, as you can see below.

Click Install and the service will be installed on your NAS. Once installed, use the menu item in the upper left corner of the screen to bring up DNS Manager. Here, you can create your first zone. We’ll recreate test.com. To get started, click on Create and then Master Zone.

At the Master Zone screen, select Forward Zone if you’re creating a zone with a name or Reverse Zone if you’re creating a zone for IP addresses to resolve back to names (or PTR records). Since test.com is a name, we’ll select Forward Zone and then enter test.com in the “Domain name” field. Enter the IP address of the NAS in the “Master DNS server” field and leave the serial format as-is unless you have a good reason not to.

There are some options to secure connectivity to the service as well: 
  • Limit zone transfer: Restrict this option only to slave servers for each zone.
  • Limit source IP service: Restrict this option only to hosts that should be able to lookup records for the zone (which is usually everyone so this isn’t often used).
  • Enable slave zone notification: Identify all the slave servers so they get a notification about changes to zone files and can update their files based on those on the server.
  • Limit zone update: Only specify other servers that are allowed to update the zone files on your server.
Click OK when you’ve configured the zone as you’d like.

Double-click the zone to load a list of records and create new ones. 

Click Create to see a list of record types:

Record types include the following:
  • A Type: Resolve a name to an IPv4 address
  • AAAA Type: Resolve a name to an IPv6 address
  • CNAME: Resolve a name to a name
  • MX: Define the mail server for a domain
  • NS: Define DNS servers for a domain
  • SPF: Define what mail servers are allowed to send mail from a domain
  • SRV: Service records (e.g. the Active Directory or Exchange server for a domain)
  • TXT: Text records
  • CAA: Define the Certificate Authorities (CAs) for a domain
Click A Type to create that test.test.com record.

At the record screen, provide the hostname, along with the IP address that the name should resolve to. Notice that the TTL is a number of seconds. This is how many seconds before another DNS server expires their record. So when they cache them, they aren’t looking the records up against your server every time a client needs to resolve the address. I like the number provided, but when I’m about to move a service I’ll usually come back and reduce that a few days before the move. The nice thing about a high number of seconds before the next refresh though, is it can save on your bandwidth and on the bandwidth of the servers looking to yours to refresh their records. Once you’ve configured the record, click OK.

Click on Create and then CNAME. Enter the name that you’re pointing to another record (in this case CNAMEtest) in the Name: field and then the name that it’s pointing to (in this case test.test.com) in the Cononical Name: field. Click OK.

Now let’s get that MX record created. Click Create and select MX. Enter the name of the server you want to get mail (in this case test.test.com will be our mail server. Then provide a TTL (I usually use lower numbers for mail servers), the priority (if this is the only server I usually use 0 but if there’s a backup then I’ll use a number like 20), and finally the name of the domain. Click OK.

 
You’ll you can see all of your records. I know that Apple was always tinkering with the Server app to make DNS records display differently, trying to hide the complexity. But to be honest, I always considered this type of view (which is standard amongst most network appliances) to be much more logical. That might be because I’m just used to looking at db files back in the pre-GUI days. But it makes sense to me. 

Notice in the sidebar, you have an option for Resolution. This is if the server is going to be used to resolve addresses upstream. What are those upstream servers. This is where you configure them. Don’t enable this option if the DNS server is only used by external clients to resolve names hosted on the server. Do use this if there will be clients on your network attempting to resolve against your server.

Use the Views option to configure bind views. We’ll cover this at some point, but since this article is getting a bit long, let’s just say that this is where you configure different zone files for different subnets based on the source of the subnet. Useful if you want to use the same DNS server to host external and internal addressing, and you want the internals to point to LAN addresses and the externals to point to WAN addresses.

Finally, if this DNS server will be providing services to external hosts, then point port 53 to the new server and set the name server record to the IP address on the WAN with the registrar.

The changes in the Server app are pretty minimal in the macOS Server 5.4 version that we’re now looking at. All of the options from previous versions are still there and the dnsconfig command line interface for managing the service are basically unchanged. The DNS service in macOS Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P3 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, macOS, Linux and even Zoe-R. The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES.
 
Then, click on the cog wheel icon below the list of records and click on Show All Records.
 
At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records.

 

Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes.

 

Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting.


At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

Managing Records

All you have to do to start the DNS is click on the ON button (if it\u2019s not already started, that is). There\u2019s a chance that you won\u2019t want all of the records that are by default entered into the service. But leave it for now, until we\u2019ve covered what everything is. To list the various types of records:

","engine":"visual"}” data-block-type=”2″>
All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. Next, click on the cog wheel icon below the records list, and you’ll see a list of all the records and record types that are currently running on the server.

To list the various types of records:

Then, when you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.
 

These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes).
“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” — http://krypted.com/mac-os-x/dont-go-near-there-sponsored-top-level-domain-names/

Note: The above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan.

Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records.


Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.


At the zone screen, enter the name of the domain you’re setting up (e.g. krypted.com, also known as the zone), check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.


At the New Machine Record screen, select the appropriate zone as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in the appropriate IP. Click on Done to commit the changes. Repeat the process for each host that needs an address and then click Done to create the records.

Setting Up Secondary Servers

Now let\u2019s setup a secondary server by leveraging a secondary zone running on a second computer. On the second Mountain Lion Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone.

","engine":"visual"}” data-block-type=”2″>

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second macOS Server, click on the plus sign for the DNS service and select Add Secondary Zone.



Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you\u2019re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X Mountain Lion Server is to do everything possible using the serveradmin command. To start the service, use the start option:

","engine":"visual"}” data-block-type=”2″> At the Secondary Zone screen, enter krypted.com as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field (actually, enter your domain name, not mine). Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in macOS Server is to do everything possible using the serveradmin command for global management and dnsconfig for record and zone management. Once you start editing configuration files, the user interface can become unstable and other updates may or may not override the updates you make in those configuration files. To start the service, use the start option:

sudo serveradmin start dns
http://krypted.com/?p=45195. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone):

cat /var/named/db.krypted.xsan
http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool, available here.