At 11:10 AM -0600 11/22/05, Brendan O'Toole wrote:
In other words, if you're not sure how to drive, stay off the
road. It's not like you can't get someone with experience to
host your DNS for you. Most NSPs provide DNS hosting for their
networks gratis. For those that need hosting, hosting providers
abound. In most cases ppl don't need to or shouldn't be running
their DNS locally.
Except anyone running NAT who needs resolution of internal
addresses, which the OP is...
You don't need DNS for NAT.
I think they he means, if you want to resolve internal, private
range IPs, you need to setup DNS, which I have done with help from
this group for all my schools in the past.
If you want DNS, then yes, you want DNS. But neither NAT nor OS X
Server requires it. OS X Server prefers (very, very strongly) that
you have DNS, but all it really needs is resolution of some kind.
DNS is just the most common way to do this.
I have been told many times by this list and others (and by you, I
believe) and correctly so, that many features of OS X Server will
fail without proper running DNS, or at least a correctly working
forward and reverse lookup of the server's host name itself. As a
matter of fact, I've been chastized for not having a working DNS
setup, again, on either on this list or macosx-admin.
Many things will fail without _*name resolution*_. If you have bad
DNS then names are resolved improperly and things break. If you
either choose not to use names, not to use DNS namespaces, or to
resolve names differently this is all perfectly acceptable too. It's
not that you /must/ have DNS, it's just if you /do/ have DNS it
/must/ be right.
DNS is just *a* way to resolve names.
You may find this hard to believe but DNS is a very recent protocol,
and the Internet ran fine for eons without it. You might not remember
it, but to me it's still a relative newcomer, like HTTP.
And regardless, NAT is a level 2/3 mapping and cares not one bit
about DNS. It doesn't use it, need it or care about it. Not one bit.
It's all IP addresses, no names are involved to protect the guilty.
It says some IP address get's remapped to some other IP address,
nothing more. NAPT says that some IP-address:port gets mapped to some
other IP-address:port, still no names their either. NAT does not need
DNS. Period.
My personal experience has backed this up. Just one example: none of
our Windows XP clients can get a DHCP assigned address from our OS X
Servers without DNS up and running. Why, I don't know, but it's an
easily reproducable issue.
But related to DNS being deployed and not getting resolved properly.
DHCP doesn't *require* DNS either, though it most always includes DNS
information as part of it's responses. If you are expecting it and
don't get it, yeah, you have and issue, you're missing a piece of
your puzzle.
So, we've been running our bogus .lan domains for the last year,
with no issues we are aware of.
Zones. They're zones.
But you still haven't answered my biggest question: if blocking port
53 is just a bandaid for preventing DNS leakage of our private
zones, what else should we be doing?
Properly configuring BIND in the first place. If you want to control
who get's to resolve what how and viewed which way BIND is the place
to do this, not a nasty hack at the border to make up for not doing
the right thing to begin with.
My NSHO.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
