View Full Version : Setting up a DNS server
04-19-2002, 11:32 AM
can anyone possibly give me any pointers on how to begin setting up a DNS server on X.1.4, I have only X on my tangerine imac 333/256ram if that info is needed. I am currently using apache too if that matters. If someone can even point me to where it is located on the computer I would appreciate it. I can figure out some stuff pretty good, but I am not even sure where to find it in the directories. I am also assuming that I will at some point have to be logged in as root or sudo for some of the commands, which is not a problem I have done that many times before. Thanks for any help.
04-19-2002, 12:51 PM
This (http://www.macosxhints.com/article.php?story=20011220115956917) hint on the main site talks about setting up BIND as a caching-only nameserver, maybe you could use the instructions for your needs?
04-19-2002, 03:05 PM
I'm running OSX.1.3 Server, and I set up my DNS using the guide on http://www.macresource.com/. If you go to the bottom of the page and click on search and then go to Nov 2001 and scroll down to Nov 21st, there is an entire guide on how to set it up. Ours works great!! Hope this helps.
04-20-2002, 07:38 AM
I have been thinking about doing thsi also - per instructions at Macresource. What exactly are the benefits - I have a small LAN with 4 machines on it.
04-21-2002, 06:28 PM
I am running a dns server on a 9 box here and it works good and it nice for not haveing to remember the ips of the machines and just typing in the computer name that you want to get to. I want to move everything over to my imac with X for all my services. I am wanting to put some form of linux on the 9 box to do my experiments with so i dont hose my imac and ibook when testing things out.
04-21-2002, 06:37 PM
Well if all a DNS server helps with on a LAN is assoc IP's with internal machines - that can be achieved much easier by just adding a few entries into the NetInfo app.
From what I have read - a caching DNS server will speedup lookup of IP's/address on the internet - and that is really the only benefit I can find to go through all the trouble (and it does look like a bit of time consumed setting it up) of setting up a DNS server.
I was hoping someone here would prove me wrong and say "No, that's not all it can do...it can benfit you like this..."
I have yet to receive the justification yet.
04-22-2002, 11:54 PM
I decided to use the hint that sandpilot pointed out and everything went exactly as described and i thought it was going great and at the very end i restarted as it suggested, and the computer booted up and took forever at the network time point and then once it got past that it got to the point when it was going to load the login screen and it took several minutes to bring up the login screen. I was able to log in through an ssh connection from my other machine and go through all the files and i did find one typo that i left out one character in the NAMESERVER=-YES- line that is pointed out near the end. I corrected it and then restarted again and it will not start up correctly any longer, it gets up to about half of the progress bar and then says a couple of lines so fast i cannot read them and does not finish the progress bar and then it acts as if it is going to load the login screen again and just hangs there for eternity. I can no longer log in through a terminal window with ssh or any other protocol i can think of, or through a browser with http either. I was able to boot it into single user mode, but it will not let me change anything in the system! even when i do a two part command that the OS says to do to allow changes, it comes back and fails! ANY help would be so nice!
04-23-2002, 04:56 AM
when you start the machine, hold down <command>+<v> at the start up bong and hold them until the screen starts to fill with text.
You're now in "verbose" boot, which will print out all the unix stuff that's going on in the background. It's still a bit fast, but will give you a better idea of what's happening (and more importantly more information to print here) than just the apple boot panel.
edit : of course, you could also just boot into OS 9 and undo the changes you made to set up the DNS, specifically the NAMESERVER=-YES- option.
Doesn't fix the DNS, but at least it should give you a bootable OS X box
04-23-2002, 08:25 AM
Updated Apple tech note on internal DNS setup:
04-23-2002, 01:23 PM
to jaybee, thanks for the hint about getting rid of the NAMESEVER line and i will try that, but i this install of X is only X there is no classic on it. I have tried the verbose mode already and it spits it past me at the end there even faster than it does with the graphical boot. me being a slow reader does not help, but this goes by so fast no one would read it. I have also tried to boot from a 9 os disk and i can go back in and change some of the settings and file i have edited, but not all of the directories show up when i boot in classic. for example, var and etc and usr.
I will also check out the newer post of setting this up. thanks to all for the input
04-23-2002, 05:31 PM
you can use the dmesg command to see what gets output to the screen at startup.
04-29-2002, 08:25 AM
I followed the instruction on MacResource this weekend to setup a DNS cahing server and all appeared to work fine. Lookups were defintely faster. Yet I kept noticing my console was showing those classic "DNS send query failed" to the DNS machine error msgs still. I thought this was supposed to solve it.
I then found the MacOSXHints article and started merging the two sets of info. I installed bind 4.2.0 and did the rndc stuff (that was all that wasn't mentioned at MRP) and then fired it back up again. Works great and NOW all the "dns send qeury" error msgs have disappeared.
Couple of things to note:
* In the MRP article - the named items are stored in /private/etc an d/private/var - in the MacOSXHints article the items are store in /usr/local/etc. I am not sure which is really proper but since I had already installed via the MRP artcile I just modified the OSXHints info to match those paths.
* If you read a bit farther at MRP regarding the subject - specfically OS 9 interacting with DNS server - you will see that he later came up with a problem in his setup. Namely - the domain name he had chosen .local was not a good one to use as that caused the problem with OS 9. Seems there is something internal in OS 9 that is referencing a "local" already and by using .local as your domain you confuse it. I went back in and changed my domain to .lan
* The named.conf file at MRP has a few more entries in it than the one at OSXHints article. I am defintitely no guru on the subject but it looks like the extra info is used to reference your internal LAN machines.
One question I do have though - I setup my DNS server on an iBook 2001 as that is what I normally use to run my servers off of. Occasionally I actually need to remove the iBook from the LAN and actually take it places (imagine that - whata great use for a laptop...hahah) - anyway - I have noticed that if I boot my G4 on the LAN when the iBook DNS server is not available - the boot process will hang for several mins at the network time screen and then permanently at the Firewall screen. Is there something that could be added to the process to tell the machines on the LAN to look elsewehere if the local DNS is not available. I was thinking it might be as easy as assigning a second external DNS (e.g. your ISP DNS) in the list of DNS server in the TCP/IP control panel. Any thoughts on this?
07-30-2002, 12:33 PM
Just a couple of comments here:
BIND is the number one security risk on the internet. Bind is notoriously vulnerable to various kinds of buffer--overflow attacks.
Treat it cautiosly because it's a dangerous service.
If you must set up a bind dns server:
1. Make sure you are not running any other vulnerable service on the box -- not sendmail --definitely not ftp
2. You must not run BIND as root....but as user named group named
3. You should set the permissions on the config/zone files to 444 or everyone can read, no one can write (except root of course).
4. You should consider running named(or BIND) in a chrooted environment.
5. You must run the latest version of BIND 8 which as of this writing is: 8.2.5
Sorry don't mean to be stern here just trying to watch out for my fellow mac users....remember we're running unix now:D
07-30-2002, 06:29 PM
thanks for letting me know this. I have temporarily abandoned setting this up anyways because i have been trying to get other stuff done. This would only be for my internal use on my LAN not for public use if that makes a difference. I am currently up to X.1.5 and I am running HTTP and FTP on my server too. Is there a replacement program that I could use to do the same thing that is more secure. As it stands right now my 7100 (specs in signature) is my DNS and email server and that is the only thing it is being used for. This was set up to be a temporary thing since I really do not have the room for this machine, even headless. I really would like to get those two things set up on my iMac (my server).
07-31-2002, 06:37 AM
What about Bind 9.x?
Any security issues with that yet?
07-31-2002, 03:36 PM
If you run bind 8 or 9 as user named/group named and chroot it and give user named a shell of say /dev/null or /bin/false then even if a badguy busts bind, he gets nothing....no root perms and no shell.
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.