How do i Setup a Mac OS X Server - NameServer behind an Airport Extreme?

domain-name-system mac-osx-server nameserver

5,628

Edit: Okay... it looks like your top level domain provider hasn't properly pointed ns.invatamax.ro to 96.x.x.x. My computer attempts to resolve invatamax.ro, recognizes that you've set up the nameserver to be ns.invatamax.ro, but then it is unable to resolve what IP address (the 96.x.x.x address) it should look to. When did you have your domain provider set up the pointer? If it was within the last day, it needs time to replicate around the world. Since I'm unable to get the IP address of ns.invatamax.ro at all, it is not a router issue. If it were a router issue I would be able to find out the 96.x.x.x address but a traceroute would fail at the router. alt text

Check this link out: http://zytrax.com/books/dns/ch8/ns.html It uses a bunch of fancy confusing language but basically what you're missing is that glue record.

To break the query deadlock for referrals which return name servers within the domain being queried. Assume a query for a domain, say the A RR for www.example.com, returns a referral containing the name but not the IP address of a name server, say ns1.example.com, which lies within the domain example.com. Since the IP address of the name server is not known this will naturally result in a query for the A RR of ns1.example.com which will return, again, a referral with the name but not the IP of ns1.example.com! When the glue record is provided this problem does not occur.

alt text

As you can see from the diagram, there's an infinite loop going 2->3->4->5->4->5->4->5->4

Just a quick thought: It's possible you may also need a reverse record, sometimes called a PTR record. You can ask your ISP to set that up. You'll want a reverse record pointing 96.x.x.x to something.com and ns.something.com.

A side note: it is highly inadvisable to host public DNS on a single server in a single location with non-redundant power and internet and routers and a consumer-grade connection.

Also, from outside of the network, run traceroute -p X ns.something.com where X is a port number DNS uses, for each port number DNS is using. This will tell you the path that computers outside of the network are taking to attempt to get to your server.

5,628

unom

Updated on September 17, 2022

Comments

unom over 1 year

I have a Mac mini server i want to setup to host a couple of things.

My setup is as follows:

The WAN connection (static IP and ISP nameservers) goes into the wan port of the Airport Extreme. The Mac mini server is connected to one of the ethernet ports. The mac mini will host my domain something.com.

My settings so far: Airport Express gets:

96.x.x.x as the external static IP from the ISP

174.y.y.y as the nameserver

Mac mini server always gets a reserved DHCP IP from the Airport Express:

10.0.1.3 is the server's ip

10.0.1.1 as the dns (this ip is the airport express itself)

My dns server has an A record pointing to ns.something.com and a PTR doing the reverse.

I've already added my 96.x.x.x to point ns.something.com with my registrar as attached.

NOW: Nobody seems to be able to access my ns.something.com to resolve any of my records. From a any computer in my network I CAN see my ns and everything works. The outside on the other hand does not... it's as if the airport extreme which "holds" the exterior 94.x.x.x address doesn't pass DNS along to my 10.0.1.3 ns server.

I have the server managing the airport. Isn't this supposed to work?
- Jack Lawrence over 13 years
  
  Any particular reason why you'd like to host DNS yourself?
- Jack Lawrence over 13 years
  
  Also, what do you mean by this: "174.y.y.y as the nameserver" what nameserver is this?
unom over 13 years

I'm using an Airport Extreme. Could the ISP somehow block DNS to my location?
Jack Lawrence over 13 years

It's possible. From outside of your network, can you resolve the ip address associated with ns.something.com? Is it correct? It should be the 96.x.x.x address. (run ping ns.something.com in the terminal and see what IP address is attempts to ping). Again, try tracerouting the ports to see if your ISP is blocking them.
Jack Lawrence over 13 years

Totally agree with you.
Jack Lawrence over 13 years

I'd also like to know the real domain name; in a few seconds I or Robert Moir could diagnose the issue.
unom over 13 years

The domain is "invatamax.ro" to the direct A record "ns.invatamax.ro"
Jack Lawrence over 13 years

see my edits :)
unom over 13 years

Ok, you said "my computer recognizes that you've set up the nameserver to be ns.invatamax.ro" how are you able to infer that? What i've set up with the provider is a "child nameserver" with ns.something.com and my IP. It turns green and tells me it's created. Then I added ns.something.com to the nameserves list for something.com (i used to have a doteasy dns there). Now that child nameserver turns from green to grey and says it's "attached to the parent domain". The page is very simple, there are no other settings to speak of, and i have done this before. 20 h since my last update.
unom over 13 years

I'm beginning to think it's the ISP. I have a nearly complete mental model on these issues. The thing i'm missing MUST be related to something else.
Jack Lawrence over 13 years

Again, at this point my computer isn't even attempting to connect to you. At this point, it's still asking what the IP address is for ns.invatamx.ro so that it can then attempt to connect.
unom over 13 years

So it seems it's registrar related at this point, we haven't got as deep as to see the ISP yet since we apparently can't get the registrar to link that ns to the IP. I'll sleep on it... try with a different domain and report back.
Jack Lawrence over 13 years

Yup! I think that's the issue. I made you a lil diagram explaining the whole infinite loop of death as well :)
unom over 13 years

WOW! One more quick question. If the registrar has everything configured all-right and he has that glue record for me when i ask for it. My understanding is that he should be able to say... look here is the ip for that ns you want REGARDLESS of the ns being actually online or not... or even reacheable.
Jack Lawrence over 13 years

Yeah, the glue record is basically like an A record so it doesn't do any checking to see if your server is reachable. That's why it's good to have redundant nameservers. In fact, most domain time registrars require that you specify ns1.something.com and ns2.something.com.
unom over 13 years

I've managed to isolate the problem... It's domain registrar related. That glue record simply is not there.
unom over 13 years

I'm using a normal .com now and everything works. My settings were by the book. I've read a couple of forums, it seems someone inside the top level domain is using his leverage to keep you from linking directly to them so you have to deal with "certain" resellers already on "the list". They deny access to DNS even though the website let's you set the appropriate fields.