krypted.com

Tiny Deathstars of Foulness

DNS is DNS. And named is named. Except in macOS Server. Sometimes. The configuration files for the DNS services in macOS Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems.

The current version of BIND is BIND 9.9.7-P3 (Extended Support Version). This has been the case for a number of macOS Server versions, and can easily be located by doing a cat of the /Library/Server/named/.version file. 

Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In macOS Server 5.2 (for Sierra), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear.

The verbs available include:
  • help: show help information
  • list: show the contents of configurations and zone files
  • add: create records and zones
  • delete: remove records and zones
To view data available in the service, use the list verb. Options available when using the list verb include:
  • –acl: show ACLs
  • –view: show BIND view data
  • –zone: show domains configured in the service
  • –rr: show resource records
  • –rrtype: show types of resource records
For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan

The output would show you information about the listed zone, usually including View data:

Views: com.apple.ServerAdmin.DNS.public Zones: pretendco.lan Options: allow-transfer: none allow-update: none

To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan

By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201

You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan

Use the delete verb to remove the data just created:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan


Or to delete that one www record earlier, just swap the add with a delete:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201

Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g. 10.1.1.1
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the best I’ve seen for managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

Additionally, you can manage bind in a variety of other ways. There are global settings exposed with the bind -v command:

bind -v


Which returns something similar to the following:

set bind-tty-special-chars on
set blink-matching-paren on
set byte-oriented off
set completion-ignore-case off
set convert-meta off
set disable-completion off
set enable-keypad off
set expand-tilde off
set history-preserve-point off
set horizontal-scroll-mode off
set input-meta on
set mark-directories on
set mark-modified-lines off
set mark-symlinked-directories off
set match-hidden-files on
set meta-flag on
set output-meta on
set page-completions on
set prefer-visible-bell on
set print-completions-horizontally off
set show-all-if-ambiguous off
set show-all-if-unmodified off
set visible-stats off
set bell-style audible
set comment-begin #
set completion-query-items 100
set editing-mode emacs
set keymap emacs

September 10th, 2017

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , ,

The changes in the Server app were far more substantial in the El Capitan version (OS X Server 5) than in the macOS Server 5.2 version that we’re now looking at. All of the options from OS X are still there and the dnsconfig command line interface for managing the service are basically unchanged. The DNS service in OS X Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P3 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, OS X, Linux and even Zoe-R. The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES. screen-shot-2016-09-27-at-11-13-27-am Then, click on the cog wheel icon below the list of records and click on Show All Records. screen-shot-2016-09-27-at-11-14-02-am At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records. screen-shot-2016-09-27-at-11-16-06-am Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes. screen-shot-2016-09-27-at-11-18-24-am Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting. screen-shot-2016-09-27-at-11-18-58-am

At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. To list the various types of records:
  • Primary Zone: The DNS “Domain”. For example, www.krypted.com would likely have a primary zone of krypted.com.
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
screen-shot-2016-09-27-at-11-19-20-am

When you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.

 screen-shot-2016-09-27-at-11-19-59-am
These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes). Once changes are made, the TTL can be set for a larger number in order to reduce the amount of traffic hitting the server (DNS traffic is really light, so probably not a huge deal in most environments using a macOS Server as their DNS server). Check the box for “Allow zone transfers” if there will be other servers that use this server to lookup records. Additionally, if the zone is to be a secondary zone configured on another server, you can configure the frequency to perform zone transfers at this screen, how frequently to perform lookups when the primary name server isn’t responsive and when to stop bothering to try if the thing never actually ends up coming back online. Click on Done to commit any changes made, or to save a new record if you’re creating a new zone.
“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” — http://krypted.com/mac-os-x/dont-go-near-there-sponsored-top-level-domain-names/
Double-click on a Machine record next (or click plus to add one). Here, provide a hostname along with an IP address and indicate the Zone that the record lives in. The IP Addresses field seems to allow for multiple IPs, which is common in round robin DNS, or when one name points to multiple servers and lookups rotate amongst the servers. However, it’s worth mentioning that when I configure multiple IP addresses, the last one in the list is the only one that gets fed to clients. Therefore, for now at least, you might want to stick with one IP address per name. Screen Shot 2015-09-08 at 10.29.37 PM
Note that the above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan. Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records. Screen Shot 2015-09-08 at 10.31.46 PM

Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.

Screen Shot 2015-09-08 at 10.33.11 PM

At the zone screen, enter the name of the domain you’re setting up (e.g. krypted.com, also known as the zone), check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.

screen-shot-2016-09-27-at-11-21-17-am

At the New Machine Record screen, select the appropriate zone as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in the appropriate IP. Click on Done to commit the changes. Repeat the process for each host that needs an address and then click Done to create the records.

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second macOS Server, click on the plus sign for the DNS service and select Add Secondary Zone. screen-shot-2016-09-27-at-12-25-31-pm
At the Secondary Zone screen, enter krypted.xsan as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field. Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in macOS Server is to do everything possible using the serveradmin command for global management and dnsconfig for record and zone management. Once you start editing configuration files, the user interface can become unstable and other updates may or may not override the updates you make in those configuration files. To start the service, use the start option: sudo serveradmin start dns
To stop the service, use the stop option: sudo serveradmin stop dns
To get the status of the service, including how many zones are being hosted, the last time it was started, the status at the moment, the version of bind (9.8.1 right now) and the location of the log files, use the fullstatus option: sudo serveradmin fullstatus dns
A number of other tasks can be performed using the settings option. For example, to enable Bonjour Client Browsing, an option previously available in Server Admin, use the following command: sudo serveradmin settings dns:isBonjourClientBrowsingEnabled = yes
Subnets can be created programmatically through serveradmin as well. Let’s look at what our krypted.xsan subnet looks like, by default (replace your zone name w/ krypted.xsan to see your output): sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan
Now, let’s say we’d like to disable bonjour registration of just this zone, but leave it on for the others on the server: sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:bonjourRegistration = no
The entire block can be fed in for new zones, if you have a lot of them. Just remember to always make sure that the serial option for each zone is unique. Otherwise the zones will not work properly. While serveradmin is one way to edit zone data, it isn’t the only way, you can also use the dnsconfig options described in http://krypted.com/?p=45195. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone): cat /var/named/db.krypted.xsan
Add another record into the bottom and stop/start DNS to immediately see the ramification of doing so. Overall, DNS is one of those services that seems terribly complicated at first. But once you get used to it, I actually find manually editing zone files far faster and easier than messing around with the Server app or previously Server Admin. However, I also find that occasionally, because the Server app can make changes in there that all my settings will vanish. Troubleshooting is another place where the command line can be helpful. While logs can be found in the Server app, I prefer to watch log entries live as I perform lookups using the /Library/Logs/named.log file. To do so, run tail -f followed by the name of the file: tail -f /Library/Logs/named.log
Also, see http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool, available here.

October 13th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , , , , ,

DNS is DNS. And named is named. Except in OS X Server. Sometimes. The configuration files for the DNS services in OS X Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems. The current version of BIND is 9.9.7-P2. Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In OS X Server 5 (for El Capitan and Yosemite), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones). To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan The output would show you information about the listed zone, usually including View data: Views: com.apple.ServerAdmin.DNS.public Zones: pretendco.lan Options: allow-transfer: none allow-update: none  To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201 You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan Use the delete verb to remove the data just created: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan Or to delete that one www record earlier, just swap the add with a delete: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201 Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g. 10.1.1.1
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the better updates we’ve seen from Apple when it comes to managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

October 5th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

Under the hood, OS X Server has a number of substantial changes; however, at first the Server app appears to have had very few changes. The changes in the Server app were far more substantial in the Yosemite version of OS X Server. All of the options from Yosemite are still there and using the new command line interface for managing the service, there are far more options than ever before. The DNS service in OS X Server, as with previous versions, is based on bind 9 (BIND 9.9.2-P2 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, OS X, Linux and even Zoe-R. The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES. dns1 Then, click on the cog wheel icon below the list of records and click on Show All Records. DNS2 At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records. DNS3 Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes. DNS4 Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting. DNS5 At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”. All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. To list the various types of records:
  • Primary Zone: The DNS “Domain”. For example, www.krypted.com would likely have a primary zone of krypted.com.
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
DNS6 When you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes). Once changes are made, the TTL can be set for a larger number in order to reduce the amount of traffic hitting the server (DNS traffic is really light, so probably not a huge deal in most environments using a Yosemite Server as their DNS server). Check the box for “Allow zone transfers” if there will be other servers that use this server to lookup records. Additionally, if the zone is to be a secondary zone configured on another server, you can configure the frequency to perform zone transfers at this screen, how frequently to perform lookups when the primary name server isn’t responsive and when to stop bothering to try if the thing never actually ends up coming back online. Click on Done to commit any changes made, or to save a new record if you’re creating a new zone. Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” — http://krypted.com/mac-os-x/dont-go-near-there-sponsored-top-level-domain-names/ Double-click on a Machine record next (or click plus to add one). Here, provide a hostname along with an IP address and indicate the Zone that the record lives in. The IP Addresses field seems to allow for multiple IPs, which is common in round robin DNS, or when one name points to multiple servers and lookups rotate amongst the servers. However, it’s worth mentioning that when I configure multiple IP addresses, the last one in the list is the only one that gets fed to clients. Therefore, for now at least, you might want to stick with one IP address per name. DNS8 Note that the above screen has a match for the host name to the zone name, including the zone name. This is not to be done for manually created records. Enter the name of a record, such as www for the zone called, for example, krypted.lan and not www.krypted.lan in the Host Name record, or you will end up creating a host called www.krypted.lan.krypted.lan, which is likely not very desirable. Given that this wasn’t the default behavior back in Server Admin, I personally consider this something that will likely get fixed in the future. Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records. DNS9 Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypted.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers. As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone. DNS10 At the zone screen, enter the name krypted.xsan, check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record. DNS11 At the New Machine Record screen, select krypted.xsan as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in 10.0.0.2. Click on Done to commit the changes. DNS12 Repeat the process for Apollo, entering apollo as the Host Name and 10.0.03 as the IP address. Click Done to create the record. Setting Up Secondary Servers Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second Yosemite Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone. DNS13 At the Secondary Zone screen, enter krypted.xsan as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field. Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled). Managing DNS From The Command Line Now, all of this work we’ve been doing has been pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X Yosemite Server is to do everything possible using the serveradmin command. To start the service, use the start option: sudo serveradmin start dns To stop the service, use the stop option: sudo serveradmin stop dns To get the status of the service, including how many zones are being hosted, the last time it was started, the status at the moment, the version of bind (9.8.1 right now) and the location of the log files, use the fullstatus option: sudo serveradmin fullstatus dns A number of other tasks can be performed using the settings option. For example, to enable Bonjour Client Browsing, an option previously available in Server Admin, use the following command: sudo serveradmin settings dns:isBonjourClientBrowsingEnabled = yes Subnets can be created programmatically through serveradmin as well. Let’s look at what our krypted.xsan subnet looks like, by default (replace your zone name w/ krypted.xsan to see your output): sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan Now, let’s say we’d like to disable bonjour registration of just this zone, but leave it on for the others on the server: sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:bonjourRegistration = no The entire block can be fed in for new zones, if you have a lot of them. Just remember to always make sure that the serial option for each zone is unique. Otherwise the zones will not work properly. While serveradmin is the preferred way to edit zone data, it isn’t the only way. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone): cat /var/named/db.krypted.xsan Add another record into the bottom and stop/start DNS to immediately see the ramification of doing so. Overall, DNS is one of those services that seems terribly complicated at first. But once you get used to it, I actually find manually editing zone files far faster and easier than messing around with the Server app or previously Server Admin. However, I also find that occasionally, because the Server app can make changes in there that all my settings will vanish. Troubleshooting is another place where the command line can be helpful. While logs can be found in the Server app, I prefer to watch log entries live as I perform lookups using the /Library/Logs/named.log file. To do so, run tail -f followed by the name of the file: tail -f /Library/Logs/named.log Also, see http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool at

October 16th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

Any time doing a migration of data from one IP to another where that data has a DNS record that points users towards the data, we need to keep the amount of time it takes to repoint the record to a minimum. To see the TTL of a given record, let’s run dig using +trace, +nocmd to turn off showing the version and query options, +noall to turn off display flags, +answer to still show the answer section of my reponse and most importantly for these purposes +ttlid to toggle showing the TTL on. Here, we’ll use these to lookup the TTL for the www.krypted.com A record: dig +trace +nocmd +noall +answer +ttlid a www.krypted.com The output follows the CNAME (as many a www record happen to be) to the A record and shows the TTL value (3600) for each: www.krypted.com. 3600 IN CNAME krypted.com. krypted.com. 3600 IN A 199.19.85.14 We can also lookup the MX using the same structure, just swapping out the a for an MX and the FQDN with just the domain name itself: dig +trace +nocmd +noall +answer +ttlid mx krypted.com The response is a similar output where krypted.com. 3600 IN MX 0 smtp.secureserver.net. krypted.com. 3600 IN MX 10 mailstore1.secureserver.net.

January 23rd, 2014

Posted In: Active Directory, cloud, Consulting, iPhone, Kerio, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , , , , , , ,

The most impactful aspect of the changes in OS X Mountain Lion Server at first appears to be the fact that DNS looks totally different in the Server app than it did in Server Admin. For starters, most of the options are gone from the graphical interface and it looks a lot less complicated, meaning that there are indeed fewer options. However, all of the options previously available are still there. And, the service behaves exactly as it did before, down to the automatically created host name when a server is configured and doesn’t have correctly configured forward and reverse DNS records that match the host name of the computer. The DNS servicein OS X Mountain Lion Server, as with previous versions, is based on bind 9 (9.8.1 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, OS X, Linux and even Zoe-R. Installing DNS For many, at installation OS X Mountain Lion Server will already be running the DNS service. This is because DNS wasn’t ready for the server when the Server app was first run. In order to protect itself from misconfiguration, the server then configures DNS to what it thinks is appropriate based on the initial setup assistant. While initially the service appears to only be running with the one record, several are actually created. The initial zone, a reverse zone, the NS record for the zone, the NS record for the reverse zone, the reverse record for the initially created zone, etc. To see all of this, open Server app and then click on the DNS service in the list of SERVICES. Then, click on the cog wheel icon below the list of records and click on Show All Records.
Show All Records Option For DNS In Mountain Lion Server

Show All Records Option For DNS In Mountain Lion Server

Use the Edit button for Forward Servers to configure servers that DNS requests that aren’t resolvable by the local service for. For example, if you want your DNS service to look to 4.2.2.2 and 4.2.2.3 if it can’t find a record and then cache what it finds there, click Edit. At the Forwarding Servers screen, use the plus sign to assign the two IPs you would like to use. All records are then cached based on TTL of the zone. By default the “Perform lookups for” option is set to “only some clients”. Click the Edit button here to define what computers can perform DNS lookups through this server. At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”. Managing Records All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. To list the various types of records:
  • Primary Zone: The DNS “Domain”. For example, www.krypted.com would likely have a primary zone of krypted.com.
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • MX Record: Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
Click on the Plus Sign To See A List of Record Types

Click on the Plus Sign To See A List of Record Types

When you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.
Configuring Zones in Mountain Lion Server

Configuring Zones in Mountain Lion Server

These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be pretendco.com rather than c.pretendco.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes). Once changes are made, the TTL can be set for a larger number in order to reduce the amount of traffic hitting the server (DNS traffic is really light, so probably not a huge deal in most environments using a Mountain Lion Server as their DNS server). Check the box for “Allow zone transfers” if there will be other servers that use this server to lookup records. Additionally, if the zone is to be a secondary zone configured on another server, you can configure the frequency to perform zone transfers at this screen, how frequently to perform lookups when the primary name server isn’t responsive and when to stop bothering to try if the thing never actually ends up coming back online. Click on Done to commit any changes made, or to save a new record if you’re creating a new zone.
Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.
Double-click on a Machine record next (or click plus to add one). Here, provide a hostname along with an IP address and indicate the Zone that the record lives in. The IP Addresses field seems to allow for multiple IPs, which is common in round robin DNS, or when one name points to multiple servers and lookups rotate amongst the servers. However, it’s worth mentioning that when I configure multiple IP addresses, the last one in the list is the only one that gets fed to clients. Therefore, for now at least, you might want to stick with one IP address per name. Note that the above screen has a match for the host name to the zone name, including the zone name. This is not to be done for manually created records. Enter the name of a record, such as www for the zone called, for example, krypted.com and not www.krypted.com in the Host Name record, or you will end up creating a host called www.krypted.com.krypted.com, which is likely not very desirable. Given that this wasn’t the default behavior back in Server Admin, I personally consider this something that will likely get fixed in the future. Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. We’re going to stick with the c.pretendco.com subdomain as it provides us with a nice walled garden for our DNS. To create the MX for the domain, click on the plus sign at the list of records. Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for pretendco.com, so mail.pretendco.com. If you have multiple MX records, increment the priority number for the lower priority servers. As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone. At the zone screen, enter the name krypted.xsan, check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record. At the New Machine Record screen, select krypted.xsan as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in 10.0.0.2. Click on Done to commit the changes. Repeat the process for Apollo, entering apollo as the Host Name and 10.0.03 as the IP address. Click Done to create the record. Setting Up Secondary Servers Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second Mountain Lion Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone. At the Secondary Zone screen, enter krypted.xsan as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field. Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled). Managing DNS From The Command Line Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X Mountain Lion Server is to do everything possible using the serveradmin command. To start the service, use the start option: sudo serveradmin start dns To stop the service, use the stop option: sudo serveradmin stop dns To get the status of the service, including how many zones are being hosted, the last time it was started, the status at the moment, the version of bind (9.8.1 right now) and the location of the log files, use the fullstatus option: sudo serveradmin fullstatus dns A number of other tasks can be performed using the settings option. For example, to enable Bonjour Client Browsing, an option previously available in Server Admin, use the following command: sudo serveradmin settings dns:isBonjourClientBrowsingEnabled = yes Subnets can be created programmatically through serveradmin as well. Let’s look at what our krypted.xsan subnet looks like, by default (replace your zone name w/ krypted.xsan to see your output): sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan Which outputs the following: dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:allowZoneTransfer = yes dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:aliases = _empty_array dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:expire = 1209600 dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:serial = 2012080505 dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:allow-update = no dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:adminEmail = "admin@krypted.xsan" dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:machines:_array_index:0:name = "starbuck.krypted.xsan." dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:machines:_array_index:0:ipAddresses:_array_index:0:ipAddress = "10.0.0.2" dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:machines:_array_index:1:name = "apollo.krypted.xsan." dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:machines:_array_index:1:ipAddresses:_array_index:0:ipAddress = "10.0.0.3" dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:nameservers:_array_index:0:name = "krypted.xsan" dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:nameservers:_array_index:0:value = "starbuck.krypted.xsan." dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:refresh = 3600 dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:mailExchangers = _empty_array dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:reverseMappings = _empty_array dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:retry = 900 dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:timeToLive = 86400 dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:serviceRecords = _empty_array dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:bonjourRegistration = yes dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:name = "krypted.xsan" Now, let’s say we’d like to disable bonjour registration of just this zone, but leave it on for the others on the server: sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:bonjourRegistration = no The entire block can be fed in for new zones, if you have a lot of them. Just remember to always make sure that the serial option for each zone is unique. Otherwise the zones will not work properly. While serveradmin is the preferred way to edit zone data, it isn’t the only way. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /var/named/db.krypted.xsan file (each file name is db. followed by the name of the zone): cat /var/named/db.krypted.xsan The output of which is similar to the following (YMMV based on record composition):
krypted.xsan. 10800 IN SOA krypted.xsan. admin.krypted.xsan. ( 2012080507 ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) 1209600 ; expire (2 weeks) 86400 ; minimum (1 day) )10800 IN NS starbuck.krypted.xsan. apollo.krypted.xsan. 10800 IN A 10.0.0.3 starbuck.krypted.xsan. 10800 IN A 10.0.0.2 Add another record into the bottom and stop/start DNS to immediately see the ramification of doing so. Overall, DNS is one of those services that seems terribly complicated at first. But once you get used to it, I actually find manually editing zone files far faster and easier than messing around with the Server app or previously Server Admin. However, I also find that occasionally, because the Server app can make changes in there that all my settings will vanish. Troubleshooting is another place where the command line can be helpful. While logs can be found in the Server app, I prefer to watch log entries live as I perform lookups using the /Library/Logs/named.log file. To do so, run tail -f followed by the name of the file: tail -f /Library/Logs/named.log Finally, see http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Conclusion Because DNS is one of the most critical aspects of getting your server or servers configured properly, set up the name of your server before you do anything else. Then the very first thing you should do when you open the Server app on your first server is configure DNS. The next thing you should do is test DNS. The first thing you should do on each subsequent server is check DNS. Overall, the DNS service is very straight forward, once you get used to setting up records. There is a ton of flexibility around using the command line to manage the service as well; however, be aware when you do so that you could end up loosing data if you aren’t careful not to make any changes in the Server app! As for getting used to the changes with every new version of OS X, Daniel Graystone once said “She’ll adjust. She’s probably very confused by everything. It’s only natural.”

August 6th, 2012

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , , , , , , , ,

At times, you may find that information gets stuck in Server Admin and can’t be removed. For example, you see a Zone in Server Admin, and it doesn’t have a Name Server record attached to it. You can’t delete it but every time you add a Name Server it just disappears. This is often caused when you remove or change something and it gets dumped from the zone files in /var/named but not from the BIND view. Running serveradmin will show the data but as it’s serialized it can’t be removed: serveradmin settings dns Without a Name Server record, the zone is unresponsive to queries. Removing the zone can delete the zone file from /var/named/zones but doesn’t delete it from Server Admin. To go ahead and get rid of the bad records, open the /etc/dns/publicView.conf.apple file with your favorite text editor. Here, each zone in OS X Server has a corresponding block, such as: *+zone "1.168.192.in-addr.arpa." {+* *+type master;+* *+file "db.1.168.192.in-addr.arpa.";+* *+allow-transfer {none;};+* *+allow-update {none;};+* }; Locate the offending block for the jacked up and remove or comment it out. Don’t delet this block though: +zone "." {+ +type hint;+ +file "named.ca";+ }; +zone "localhost" IN {+ +type master;+ +file "localhost.zone";+ +allow-update { none; };+ }; +zone "0.0.127.in-addr.arpa" IN {+ +type master;+ +file "named.local";+ +allow-update { none; };+ }; That block should stay in place. The Server Admin generated blocks should be towards the top and the above block that shouldn’t be removed should be at the bottom.

July 12th, 2011

Posted In: Mac OS X Server

Tags: , , , , , , , , , , ,

On Sunday, I mentioned making your forward and reverse DNS entries match up. But I didn’t really discuss what to do if they don’t. For those readers moving into Ubuntu from Mac OS X Server, you’ll note that at installation time, if the hostname doesn’t match the A record and PTR for your server then it will install DNS and make them match up. The reason for this is that host names are a critical aspect in how many of the network services that modern services run. If you don’t have DNS or if you want to fire up DNS in the same manner that Mac OS X Server does it then let’s look at doing so here. First up, let’s get the packages that we’ll need installed using apt-get, which includes bind9 and dnsutils:
apt-get install bind9 dnsutils
Once those are installed, let’s define our zone and reverse zone in /etc/bind/named.conf.local:
zone “krypted.com” { type master; file “/etc/bind/zones/krypted.com.db”; }; zone “210.168.192.in-addr.arpa” { type master; file “/etc/bind/zones/rev.210.168.192.in-addr.arpa”; };
Note: If you’re cut/copy/pasting here, the double-quotes are going to need to get replaced with unformatted ones. If you have other forward or reverse zones then you will need to add them using the same format as above. Once you’re done, save the file. Next, let’s tell the server where to look when attempting to resolve names that it does not host. This information is stored in the options array in /etc/bind/named.conf.options. This is currently commented out (commented lines start with //) so let’s uncomment the forwarders section (by removing the // in front of the lines) and change the IP of that forwarder from 0.0.0.0 to the IP address of your server. It should look similar to the following when complete:
forwarders { 4.2.2.2 };
Next, we’re going to create our
mkdir /etc/bind/zones touch /etc/bind/zones/krypted.com.db touch /etc/bind/zones/rev.210.168.192.in-addr.arpa
Now that we’ve created our files, let’s edit them. First, open /etc/bind/zones/krypted.com.db and look for all instances of krypted.com, replacing them with the domain name that you would like to use. Also, look for all of the records and make sure that they match with the name and IP that you would like to use, creating new lines for each new record:
krypted.com. IN SOA ns1.krypted.com. admin.krypted.com. ( 2007031001 28800 3600 604800 38400 ) krypted.com. IN NS ubuntu08.krypted.com. krypted.com. IN MX 10 mail.krypted.com. www IN A 192.168.210.2 home IN A 192.168.210.2 mta IN A 192.168.210.2 ubuntu08 IN A 192.168.210.254
Next, we’ll populate the reverse zone file. You’ll need to replace my instances with your own as in the previous section. Open /etc/bind/zones/rev.0.168.192.in-addr.arpa in your favorite text editor and edit away:
@ IN SOA ubuntu08.krypted.com. admin.krypted.com. ( 2007031001; 28800; 604800; 604800; 86400 ) IN NS ubuntu08.krypted.com.
1 IN PTR krypted.com
Next, we’ll restart the DNS services to accept these massive changes we’ve made:
/etc/init.d/bind9 restart
Next, edit the /etc/resolv.conf file to set the DNS server and (optional) search domain. Then change it to look something like the following:
search krypted.com nameserver 192.168.210.254
Finally, you can use dig and nslookup to test the lookups and make sure they work. For example:
nslookup ubuntu08.krypted.com

November 22nd, 2010

Posted In: Ubuntu, Unix

Tags: , , , , , , , , , ,

In DNS, recursion references the process where a name server will make DNS queries to other name servers on behalf of client systems. Most name servers are simply DNS clients that cache information for a specified amount of time. Recursion is disabled by default on most name servers. In Mac OS X recursion is enabled for subnets local to the server only.
In environments where you wish to provide recursive queries you can enable recursion by opening Server Admin, clicking on the disclosure triangle for the server you will be configuring and then clicking on the DNS service. From here, click on the Settings icon in the Server Admin toolbar and then in the section for Accept recursive queries from the following networks you would click on the plus sign (+). In this field provide the IP address or netmask that you would like to enable recursion for. For example, if you’re enabling recursion for all computers on the 192.168.0.0 subnet and the subnet mask for those clients is 255.255.255.0 then you would enter:
192.168.0.0/24
This will allow recursion for those clients by updating the /etc/dns/options.conf.apple file. Alternatively you can edit the setting by hand yourself, but don’t do so using the /etc/dns/options.conf.apple file or you could introduce instability into the DNS service and Server Admin could overwrite your settings. Rather, edit the /etc/named.conf file. In named.conf add the following line in the options section:
allow-recursion {192.168.0.0/24;};
Overall, this is a fairly straight forward technical note, but there is an underlying theme that Apple is doing a really good job of leveraging an include methodology with regards to configuration files. Inside the /etc/named.conf, also in the options section, you’ll notice that there is a line that begins with include and specifies the path of the Server managed file, which uses the word apple at the end of it. This is mirrored in zone files as well. While not all open source services use this method for allowing different configurations in the GUI and the command line, I hope they all will at some point.

September 29th, 2009

Posted In: Mac OS X Server

Tags: , , , , , ,