Apple 034-2351-Cvr User Manual
Mac OS X Server
Network Services
Administration
For Version 10.3 or Later
Apple Computer, Inc.
© 2003 Apple Computer, Inc. All rights reserved.
The owner or authorized user of a valid copy of Mac OS
X Server software may reproduce this publication for the
purpose of learning to use such software. No part of this
publication may be reproduced or transmitted for
commercial purposes, such as selling copies of this
publication or for providing paid for support services.
Use of the “keyboard” Apple logo (Option-Shift-K) for
commercial purposes without the prior written consent
of Apple may constitute trademark infringement and
unfair competition in violation of federal and state laws.
Apple, the Apple logo, AirPort, AppleScript, AppleShare,
AppleTalk, Mac, Mac OS, Macintosh, Power Mac, Power
Macintosh, QuickTime, Sherlock, and WebObjects are
trademarks of Apple Computer, Inc., registered in the
U.S. and other countries.
Adobe and PostScript are trademarks of Adobe Systems
Incorporated.
Java and all Java-based trademarks and logos are
trademarks or registered trademarks of Sun
Microsystems, Inc. in the U.S. and other countries.
UNIX is a registered trademark in the United States and
other countries, licensed exclusively through
X/Open Company, Ltd.
034-2351/9-20-03
Contents
1
Preface 5 How to Use This Guide
5
What’s Included in This Guide
5
Using This Guide
6
Setting Up Mac OS X Server for the First Time
6
Getting Help for Everyday Management Tasks
6
Getting Additional Information
Chapter 1 7 DHCP Service
7
Before You Set Up DHCP Service
9
Setting Up DHCP Service for the First Time
10
Managing DHCP Service
14
Monitoring DHCP Service
16
Where to Find More Information
Chapter 2 17 DNS Service
18
Before You Set Up DNS Service
18
Setting Up DNS Service for the First Time
21
Managing DNS Service
22
Managing Zones
25
Managing Records
28
Monitoring DNS
30
Securing the DNS Server
33
Common Network Administration Tasks That Use DNS Service
37
Configuring BIND Using the Command Line
41
Where to Find More Information
Chapter 3 43 IP Firewall Service
45
Understanding Firewall Filters
48
Setting Up Firewall Service for the First Time
49
Managing Firewall Service
55
Monitoring Firewall Service
57
Practical Examples
59
Common Network Administration Tasks That Use Firewall Service
60
Advanced Configuration
3
63
Port Reference
66
Where to Find More Information
Chapter 4 67 NAT Service
67
Starting and Stopping NAT Service
68
Configuring NAT Service
68
Monitoring NAT Service
69
Where to Find More Information
Chapter 5 71 VPN Service
72
VPN and Security
73
Before You Set Up VPN Service
73
Managing VPN Service
76
Monitoring VPN Service
77
Where to Find More Information
Chapter 6 79 NTP Service
79
How NTP Works
80
Using NTP on Your Network
80
Setting Up NTP Service
81
Configuring NTP on Clients
81
Where to Find More Information
Chapter 7 83 IPv6 Support
84
IPv6 Enabled Services
84
IPv6 Addresses in the Server Admin
84
IPv6 Addresses
86
Where to Find More Information
Glossary 87
Index 95
4
Contents
How to Use This Guide
What’s Included in This Guide
This guide consists primarily of chapters that tell you how to administer various
Mac OS X Server network services:
•
DHCP
DNS
•
•
IP Firewall
•
NAT
VPN
•
•
NTP
IPv6 Support
•
Using This Guide
Each chapter covers a specific network service. Read any chapter that’s about a service
you plan to provide to your users. Learn how the service works, what it can do for you,
strategies for using it, how to set it up for the first time, and how to administer it over
time.
Preface
Also take a look at chapters that describe services with which you’re unfamiliar. You
may find that some of the services you haven’t used before can help you run your
network more efficiently and improve performance for your users.
Most chapters end with a section called “Where to Find More Information.” This section
points you to websites and other reference material containing more information
about the service.
5
Setting Up Mac OS X Server for the First Time
If you haven’t installed and set up Mac OS X Server, do so now.
•
Refer to
came with your software, for instructions on server installation and setup. For many
environments, this document provides all the information you need to get your
server up, running, and available for initial use.
Review this guide to determine which services you’d like to refine and expand, to
•
identify new services you’d like to set up, and to learn about the server applications
you’ll use during these activities.
•
Read specific chapters to learn how to continue setting up individual services. Pay
particular attention to the information in these sections: “Setup Overview,” “Before
You Begin,” and “Setting Up for the First Time.”
Mac OS X Server Getting Started for Version 10.3 or Later,
the document that
Getting Help for Everyday Management Tasks
If you want to change settings, monitor services, view service logs, or do any other dayto-day administration task, you can find step-by-step procedures by using the onscreen help available with server administration programs. While all the network
services’ administration tasks are also documented in the network services
administration guide, sometimes it’s more convenient to retrieve information in
onscreen help form while using your server.
Getting Additional Information
In addition to this document, you’ll find information about Mac OS X Server:
•
In
install and set up your server initially.
At www.apple.com/server.
•
•
In onscreen help on your server.
In Read Me files on your server CD.
•
6 Preface
Mac OS X Server Getting Started for Version 10.3 or Later,
How to Use This Guide
which tells you how to
DHCP Service
1
1
Dynamic Host Configuration Protocol (DHCP) service lets you administer and distribute
IP addresses to client computers from your server. When you configure the DHCP
server, you assign a block of IP addresses that can be made available to clients. Each
time a client computer configured to use DHCP starts up, it looks for a DHCP server on
your network. If a DHCP server is found, the client computer then requests an IP
address. The DHCP server checks for an available IP address and sends it to the client
computer along with a “lease period” (the length of time the client computer can use
the address) and configuration information.
You can use the DHCP module in Server Admin to:
Configure and administer DHCP service.
•
•
Create and administer subnets.
Configure DNS, LDAP, and WINS options for client computers.
•
•
View DHCP address leases.
If your organization has more clients than IP addresses, you’ll benefit from using DHCP
service. IP addresses are assigned on an as-needed basis, and when they’re not needed,
they’re available for use by other clients. You can use a combination of static and
dynamic IP addresses for your network if you need to. Read the next section for more
information about static and dynamic allocation of IP addresses.
Organizations may benefit from the features of DHCP service, such as the ability to set
Domain Name System (DNS) and Lightweight Directory Access Protocol (LDAP) options
for client computers without additional client configuration.
Before You Set Up DHCP Service
Before you set up DHCP service, read this section for information about creating
subnets, assigning static and dynamic IP addresses, locating your server on the
network, and avoiding reserved IP addresses.
7
Creating Subnets
Subnets are groupings of computers on the same network that simplify administration.
You can organize subnets any way that is useful to you. For example, you can create
subnets for different groups within your organization or for different floors of a
building. Once you have grouped client computers into subnets, you can configure
options for all the computers in a subnet at one time instead of setting options for
individual client computers. Each subnet needs a way to connect to the other subnets.
A hardware device called a
router
typically connects subnets.
Assigning IP Addresses Dynamically
With dynamic allocation, an IP address is assigned for a limited period of time (the
time
) or until the client computer doesn’t need the IP address, whichever comes first. By
using short leases, DHCP can reassign IP addresses on networks that have more
computers than available IP addresses.
Addresses allocated to Virtual Private Network (VPN) clients are distributed much like
DHCP addresses, but they don’t come out of the same range of addresses as DHCP. If
you plan on using VPN, be sure to leave some addresses unallocated by DHCP for use
by VPN. To learn more about VPN, see Chapter 5, “VPN Service,” on page 71.
lease
Using Static IP Addresses
Static IP addresses are assigned to a computer or device once and then don’t change.
You may want to assign static IP addresses to computers that must have a continuous
Internet presence, such as web servers. Other devices that must be continuously
available to network users, such as printers, may also benefit from static IP addresses.
Static IP addresses must be set up manually by entering the IP address on the
computer or device that is assigned the address. Manually configured static IP
addresses avoid possible issues certain services may have with DHCP-assigned
addresses and avoid the delay required for DHCP to assign an address.
Don’t include Static IP address ranges in the range distributed by DHCP.
Locating the DHCP Server
When a client computer looks for a DHCP server, it broadcasts a message. If your DHCP
server is on a different subnet from the client computer, you must make sure the
routers that connect your subnets can forward the client broadcasts and the DHCP
server responses. A relay agent or router on your network that can relay BootP
communications will work for DHCP. If you don’t have a means to relay BootP
communications, you must place the DHCP server on the same subnet as your client.
8 Chapter 1
DHCP Service
Interacting With Other DHCP Servers
You may already have other DHCP servers on your network, such as AirPort Base
Stations. Mac OS X Server can coexist with other DHCP servers as long as each DHCP
server uses a unique pool of IP addresses. However, you may want your DHCP server to
provide an LDAP server address for client auto-configuration in managed
environments. AirPort Base Stations can’t provide an LDAP server address. Therefore, if
you want to use the auto-configuration feature, you must set up AirPort Base Stations
in Ethernet-bridging mode and have Mac OS X Server provide DHCP service. If the
AirPort Base Stations are on separate subnets, then your routers must be configured to
forward client broadcasts and DHCP server responses as described previously. If you
wish to provide DHCP service with AirPort Base Stations then you can’t use the client
auto-configuration feature and you must manually enter LDAP server addresses at
client workstations.
Using Multiple DHCP Servers on a Network
You can have multiple DHCP servers on the same network. However, it’s important that
they’re configured properly as to not interfere with each other. Each server needs a
unique pool of IP addresses to distribute.
Assigning Reserved IP Addresses
Certain IP addresses can’t be assigned to individual hosts. These include addresses
reserved for loopback and addresses reserved for broadcasting. Your ISP won’t assign
such addresses to you. If you try to configure DHCP to use such addresses, you’ll be
warned that the addresses are invalid, and you’ll need to enter valid addresses.
Getting More Information on the DHCP Process
Mac OS X Server uses a daemon process called “bootpd” that is responsible for the
DHCP Service’s address allocation. You can learn more about bootpd and its advanced
configuration options by accessing its man page using the Terminal utility.
Setting Up DHCP Service for the First Time
If you used the Setup Assistant to configure ports on your server when you installed
Mac OS X Server, some DHCP information is already configured. You need to follow the
steps in this section to finish configuring DHCP service. You can find more information
about settings for each step in “Managing DHCP Service” on page 10.
Step 1: Create subnets
The following instructions show you how to create a pool of IP addresses that are
shared by the client computers on your network. You create one range of shared
addresses per subnet. These addresses are assigned by the DHCP server when a client
issues a request.
See “Creating Subnets in DHCP Service” on page 10.
Chapter 1
DHCP Service
9
Step 2: Set up logs for DHCP service
You can log DHCP activity and errors to help you monitor requests and identify
problems with your server.
DHCP service records diagnostic messages in the system log file. To keep this file from
growing too large, you can suppress most messages by changing your log settings in
the Logging pane of the DHCP service settings. For more information on setting up
logs for DHCP service, see “Setting the Log Detail Level for DHCP Service” on page 15.
Step 3: Start DHCP service
See “Starting and Stopping DHCP Service” on page 10.
Managing DHCP Service
This section describes how to set up and manage DHCP service on Mac OS X Server. It
includes starting service, creating subnets, and setting optional settings like LDAP or
DNS for a subnet.
Starting and Stopping DHCP Service
Follow these steps when starting or stopping DHCP. You must have at least one subnet
created and enabled.
To start or stop DHCP service:
1
In Server Admin, choose DHCP from the Computers & Services list.
2
Make sure at least one subnet and network interface is configured and selected.
3
Click Start Service or Stop Service.
When the service is turned on, the Stop Service button is available.
Creating Subnets in DHCP Service
Subnets are groupings of client computers on the same network that may be
organized by location (different floors of a building, for example) or by usage (all
eighth-grade students, for example). Each subnet has at least one range of IP addresses
assigned to it.
To create a new subnet:
1
In Server Admin, choose DHCP from the Computers & Services list.
2
Click Settings.
3
Select the Subnets tab.
4
Click Add, or double-click an existing subnet.
5
Select the General tab.
6
Enter a descriptive name for the new subnet. (Optional)
10 Chapter 1
DHCP Service
7 Enter a starting and ending IP address for this subnet range.
Addresses must be contiguous, and they can’t overlap with other subnets’ ranges.
8 Enter the subnet mask for the network address range.
9 Choose the Network Interface from the pop-up menu.
10 Enter the IP address of the router for this subnet.
If the server you’re configuring now is the router for the subnet, enter this server’s
internal LAN IP address as the router’s address.
11 Define a lease time in hours, days, weeks, or months.
12 If you wish to set DNS, LDAP, or WINS information for this subnet, enter these now.
See “Setting the DNS Server for a DHCP Subnet” on page 12, “Setting LDAP Options for
a Subnet” on page 13, and “Setting WINS Options for a Subnet” on page 13 for more
information.
13 Click Save.
Changing Subnet Settings in DHCP Service
Use Server Admin to make changes to existing DHCP subnet settings. You can change
IP address range, subnet mask, network interface, router, or lease time.
To change subnet settings:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Settings.
3 Select the Subnets tab.
4 Select a subnet.
5 Click Edit.
6 Make the changes you want.
These changes can include adding DNS, LDAP, or WINS information. You can also
redefine address ranges or redirect the network interface that responds to DHCP
requests.
7 Click Save.
Chapter 1 DHCP Service 11
Deleting Subnets From DHCP Service
You can delete subnets and subnet IP address ranges when they will no longer be
distributed to clients.
To delete subnets or address ranges:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Settings.
3 Select a subnet.
4 Click Delete.
5 Click Save to confirm the deletion.
Changing IP Address Lease Times for a Subnet
You can change how long IP addresses in a subnet are available to client computers.
To change the lease time for a subnet address range:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Settings.
3 Select the Subnets tab.
4 Select a subnet range and click Edit.
5 Select the General tab.
6 Select a time scale from the Lease Time pop-up menu (hours, days, weeks, or months).
7 Enter a number in the Lease Time field.
8 Click Save.
Setting the DNS Server for a DHCP Subnet
You can decide which DNS servers and default domain name a subnet should use.
DHCP service provides this information to the client computers in the subnet.
To set DNS options for a subnet:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Settings.
3 Select the Subnets tab.
4 Select a subnet and click Edit.
5 Select the DNS tab.
6 Enter the default domain of the subnet.
7 Enter the primary and secondary name server IP addresses you want DHCP clients to
use.
8 Click Save.
12 Chapter 1 DHCP Service
Setting LDAP Options for a Subnet
You can use DHCP to provide your clients with LDAP server information rather than
manually configuring each client’s LDAP information. The order in which the LDAP
servers appear in the list determines their search order in the automatic Open Directory
search policy.
If you have are using this Mac OS X Server as an LDAP master, the LDAP options will be
pre-populated with the necessary configuration information. If your LDAP master
server is another machine, you’ll need to know the domain name or IP address of the
LDAP database you want to use. You also will need to know the LDAP search base.
To set LDAP options for a subnet:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Settings.
3 Select the Subnets tab.
4 Select a subnet and click Edit.
5 Click the LDAP tab.
6 Enter the domain name or IP address of the LDAP server for this subnet.
7 Enter the search base for LDAP searches.
8 Enter the LDAP port number, if you’re using a non-standard port.
9 Select LDAP over SSL, if necessary.
10 Click Save.
Setting WINS Options for a Subnet
You can give additional information to client computers running Windows in a subnet
by adding the Windows-specific settings to the DHCP supplied network configuration
data. These Windows-specific settings allow Windows clients to browse their Network
Neighborhood.
You must know the domain name or IP address of the WINS/NBNS primary and
secondary servers (this is usually the IP address of the DHCP server itself ), and the NBT
node type (which is usually “broadcast”). The NBDD Server and the NetBIOS Scope ID
are typically not used, but you may need to use them, depending on your Windows
clients’ configuration, and Windows network infrastructure.
Chapter 1 DHCP Service 13
To set WINS options for a subnet:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Settings.
3 Select the Subnets tab.
4 Select a subnet and click Edit.
5 Click the WINS tab.
6 Enter the domain name or IP address of the WINS/NBNS primary and secondary servers
for this subnet.
7 Enter the domain name or IP address of the NBDD server for this subnet.
8 Choose the NBT node type from the pop-up menu.
9 Enter the NetBIOS Scope ID.
10 Click Save.
Disabling Subnets Temporarily
You can temporarily shut down a subnet without losing all its settings. This means no
IP addresses from the subnet’s range will be distributed on the selected interface to
any client.
To disable a subnet:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Settings.
3 Select the Subnets tab.
4 Deselect “Enable” next to the subnet you want to disable.
Monitoring DHCP Service
You’ll need to monitor DHCP service. There are two main ways to monitor DHCP
service. First, you can view the client list; second, you can monitor the log files
generated by the service. You can use the service logs to help troubleshoot network
problems. The following sections discuss these aspects of monitoring DHCP service.
Viewing the DHCP Status Overview
The status overview shows a simple summary of the DHCP service. It shows whether or
not the service is running, how many clients it has, and when service was started. It
also shows how many IP addresses are statically assigned from your subnets and the
last time the client database was updated.
To see the overview:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click the Overview button.
14 Chapter 1 DHCP Service
Setting the Log Detail Level for DHCP Service
You can choose the level of detail you want to log for DHCP service.
• “Low (errors only)” will indicate conditions for which you need to take immediate
action (for example, if the DHCP server can’t start up). This level corresponds to
bootpd reporting in “quiet” mode, with the “-q” flag.
• “Medium (errors and warnings)” can alert you to conditions in which data is
inconsistent, but the DHCP server is still able to operate. This level corresponds to
default bootpd reporting.
• “High (all events)” will record all activity by the DHCP service, including routine
functions. This level corresponds to bootpd reporting in “verbose” mode, with the “-v”
flag.
To set up the log detail level:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Settings.
3 Select the Logging tab.
4 Choose the logging option you want.
5 Click Save.
Viewing DHCP Log Entries
If you’ve enabled logging for DHCP service, you can check the system log for DHCP
errors.
To see DHCP log entries:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Log.
Viewing the DHCP Client List
The DHCP Clients window gives the following information for each client:
• The IP address served to the client.
• The number of days of lease time left, until the time is less than 24 hours; then the
number of hours and minutes.
• The DHCP client ID. This is usually, but not always, the same as the hardware address.
• The computer name.
• The Ethernet ID.
To view the DHCP client list:
1 In Server Admin, choose DHCP from the Computers & Services list.
2 Click Clients.
Click any column heading to sort the list by different criteria.
Chapter 1 DHCP Service 15
Where to Find More Information
Request for Comments (RFC) documents provide an overview of a protocol or service
and details about how the protocol should behave. If you’re a novice server
administrator, you’ll probably find some of the background information in an RFC
helpful. If you’re an experienced server administrator, you can find all the technical
details about a protocol in its RFC document. You can search for RFC documents by
number at www.faqs.org/rfcs.
For details about DHCP, see RFC 2131.
For more information on bootpd and its advanced configuration options, see bootpd’s
man page.
16 Chapter 1 DHCP Service
2 DNS Service
2
When your clients want to connect to a network resource such as a web or file server,
they typically request it by its domain name (such as www.example.com) rather than
by its IP address (such as 192.168.12.12). The Domain Name System (DNS) is a distributed
database that maps IP addresses to domain names so your clients can find the
resources by name rather than by numerical address.
A DNS server keeps a list of domain names and the IP addresses associated with each
name. When a computer needs to find the IP address for a name, it sends a message to
the DNS server (also known as a name server). The name server looks up the IP address
and sends it back to the computer. If the name server doesn’t have the IP address
locally, it sends messages to other name servers on the Internet until the IP address is
found.
Setting up and maintaining a DNS server is a complex process. Therefore many
administrators rely on their Internet Service Provider (ISP) for DNS services. In this case,
you only have to configure your network preferences with the name server IP address
provided by your ISP.
If you don’t have an ISP to handle DNS requests for your network and any of the
following is true, you need to set up DNS service:
• You don’t have the option to use DNS from your ISP or other source.
• You plan on making frequent changes to the namespace and want to maintain it
yourself.
• You have a mail server on your network and you have difficulties coordinating with
the ISP that maintains your domain.
Mac OS X Server uses Berkeley Internet Name Domain (BIND v.9.2.2) for its
implementation of DNS protocols. BIND is an open-source implementation and is used
by the majority of name servers on the Internet.
17
Before You Set Up DNS Service
This section contains information you should consider before setting up DNS on your
network. The issues involved with DNS administration are complex and numerous. You
should only set up DNS service on your network if you’re an experienced DNS
administrator.
You should consider creating a mail account called “hostmaster” that receives mail and
delivers it to the person that runs the DNS server at your site. This allows users and
other DNS administrators to contact you regarding DNS problems.
DNS and BIND
You should have a thorough understanding of DNS before you attempt to set up your
own DNS server. A good source of information about DNS is DNS and BIND, 4th edition,
by Paul Albitz and Cricket Liu (O’Reilly and Associates, 2001).
Note: Apple can help you locate a network consultant to implement your DNS service.
You can contact Apple Professional Services and Apple Consultants Network on the
web at www.apple.com/services/ or www.apple.com/consultants.
Setting Up Multiple Name Servers
You should set up at least one primary and one secondary name server. That way, if the
primary name server unexpectedly shuts down, the secondary name server can
continue to provide service to your users. A secondary server gets its information from
the primary server by periodically copying all the domain information from the primary
server.
Once a name server learns a name/address pair of a host in another domain (outside
the domain it serves), the information is cached, which ensures that IP addresses for
recently resolved names are stored for later use. DNS information is usually cached on
your name server for a set time, referred to as a time-to-live (TTL) value. When the TTL
for a domain name/IP address pair has expired, the entry is deleted from the name
server’s cache and your server will request the information again as needed.
Setting Up DNS Service for the First Time
If you’re using an external DNS name server and you entered its IP address in the Setup
Assistant, you don’t need to do anything else. If you’re setting up your own DNS server,
follow the steps in this section.
Step 1: Register your domain name
Domain name registration is managed by a central organization, the Internet Assigned
Numbers Authority (IANA). IANA registration makes sure domain names are unique
across the Internet. (See www.iana.org for more information.) If you don’t register your
domain name, your network won’t be able to communicate over the Internet.
18 Chapter 2 DNS Service
Once you register a domain name, you can create subdomains within it as long as you
set up a DNS server on your network to keep track of the subdomain names and IP
addresses.
For example, if you register the domain name “example.com,” you could create
subdomains such as “host1.example.com,” “mail.example.com,” or “www.example.com.”
A server in a subdomain could be named “primary.www.example.com,” or
“backup.www.example.com.” The DNS server for example.com keeps track of
information for its subdomains, such as host (or computer) names, static IP addresses,
aliases, and mail exchangers. If your ISP handles your DNS service, you’ll need to inform
them of any changes you make to your namespace, including adding subdomains.
The range of IP addresses for use with a given domain must be clearly defined before
setup. These addresses are used exclusively for one specific domain (never by another
domain or subdomain). The range of addresses should be coordinated with your
network administrator or ISP.
Step 2: Learn and plan
If you’re new to working with DNS, learn and understand DNS concepts, tools, and
features of Mac OS X Server and BIND. See “Where to Find More Information” on
page 41.
Then plan your Domain Name System Service. You may consider the following
questions when planning:
• Do you even need a local DNS server? Does your ISP provide DNS service? Could you
use Rendezvous names instead?
• How many servers will you need for anticipated load? How many servers will you
need for backup purposes? For example, you should designate a second or even
third computer for backup DNS service.
• What is your security strategy to deal with unauthorized use?
• How often should you schedule periodic inspections or tests of the DNS records to
verify data integrity?
• How many services or devices (like an intranet website or a network printer) are
there that will need a name?
• What method should you use to configure DNS?
There are two ways to configure DNS service on Mac OS X Server. First, and
recommended, you can use Server Admin to set up DNS service. For more information,
see “Managing DNS Service” on page 21 for instructions.
The second way to configure DNS is by editing the BIND configuration file. BIND is the
set of programs used by Mac OS X Server that implements DNS. One of those programs
is the name daemon, or named. To set up and configure BIND, you need to modify the
configuration file and the zone file.
Chapter 2 DNS Service 19
The configuration file is located in this file:
/etc/named.conf
The zone file name is based on the name of the zone. For example, the zone file
“example.com” is located in this file:
/var/named/example.com.zone
See “Configuring BIND Using the Command Line” on page 37 for more information.
Step 3: Configure basic DNS settings
See “Managing DNS Service” on page 21 for more information.
Step 4: Create a DNS Zone
Use Server Admin to set up DNS zones. See “Managing Zones” on page 22 for
instructions. After adding a master zone, Server Admin automatically creates an NS
record with the same name as the Source of Authority (SOA).
Step 5: Add Address and additional records to the zone.
Use Server Admin to add additional records to your Zone. Create an Address record for
every computer or device (printer, file server, etc.) that has a static IP address and needs
a name. When you create an A record, you have the option to specify the creation of a
reverse lookup record and it’s corresponding zone. See “Managing Records” on page 25
for instructions.
Step 6: Set up a mail exchange (MX) record (optional)
If you provide mail service over the Internet, you need to set up an MX record for your
server. See “Setting Up MX Records” on page 33 for more information.
Step 7: Configure the reverse lookup zone (optional)
For each zone that you create, Mac OS X Server creates a reverse lookup zone. Reverse
lookup zones translate IP addresses to domain names, rather than normal lookups
which translate domain names to IP addresses. If you have not specified reverse lookup
records when initially creating your A records, you might need to configure your
reverse lookup zone after its creation.
Step 8: Start DNS service
Mac OS X Server includes a simple interface for starting and stopping DNS service.
See “Starting and Stopping DNS Service” on page 21 for more information.
20 Chapter 2 DNS Service
Managing DNS Service
Mac OS X Server provides a simple interface for starting and stopping DNS service as
well as viewing logs and status. Basic DNS settings can be configured with Server
Admin. More advanced features require configuring BIND from the command-line, and
are not covered here.
Starting and Stopping DNS Service
Use this procedure to start or stop DNS service. Remember to restart the DNS service
whenever you make changes to the DNS service in Server Admin.
To start or stop DNS service:
1 In Server Admin, choose DNS from the Computers & Services list.
2 Make sure you have at least one Zone and its reverse lookup zone created and fully
configured.
3 Click Start Service or Stop Service.
The service may take a moment to start (or stop).
Enabling or Disabling Zone Transfers
In the Domain Name System, zone data is replicated among authoritative DNS servers
by means of the “zone transfer.” Secondary DNS servers (“slaves”) use zone transfers to
acquire their data from primary DNS servers (“masters”). Zone transfers must be
enabled to use secondary DNS servers.
To enable or disable zone transfer:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the General tab.
4 Select or deselect Allow Zone Transfers as needed.
Enabling or Disabling Recursion
Recursion is a process to fully resolve domain names into IP addresses. Users’
applications depend on the DNS server to perform this function. Other DNS servers
that query yours don’t have to perform the recursion.
To prevent malicious users from altering the master zone’s records (“cache poisoning”),
or allowing unauthorized use of the server for DNS service, you can disable recursion.
However, if you stop it, your own users won’t be able to use your DNS service to look
up any names outside of your zones.
You should only disable recursion if no clients are using this DNS server for name
resolution and no servers are using it for forwarding.
Chapter 2 DNS Service 21
To enable or disable recursion:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the General tab.
4 Select or deselect Allow Recursion as needed.
If you choose to enable recursion, consider disabling it for external IP addresses, but
enabling it for LAN IP addresses, by editing BIND’s named.conf file. See BIND’s
documentation for more information.
Managing Zones
Zones are the basic organizational unit of the Domain Name System. Zones contain
records and are defined by how they acquire those records, and how they respond to
DNS requests. There are three kinds of zones:
Master
A master zone has the master copy of the zone’s records, and provides authoritative
answers to lookup requests.
Slave
A slave zone is a copy of a master zone stored on a slave or secondary name server.
Each slave zone keeps a list of masters that it contacts to receive updates to records in
the master zone. Slaves must be configured to request the copy of the master zone’s
data. Slave zones use zone transfers to get copies of the master zone data. Slave name
servers can take lookup requests like master servers. By using several slave zones linked
to one master, you can distribute DNS query loads across several computers and ensure
lookup requests are answered when the master name server is down.
Slave zones also have a refresh interval also. It determines how often slave zones check
for changes from the master zone. You can change the zone refresh interval by using
BIND’s configuration file. See BIND’s documentation for more information.
Forward
A forward zone directs all lookup requests for that zone to other DNS servers. Forward
zones don’t do zone transfers. Often, forward zone servers are used to provide DNS
services to a private network behind a firewall. In this case, the DNS server must have
access to the Internet and a DNS server outside the firewall.
Adding a Master Zone
A master zone has the master copy of the zone’s records and provides authoritative
answers to lookup requests. After adding a master zone, Server Admin automatically
creates an NS record with the same name as the Source of Authority (SOA).
22 Chapter 2 DNS Service
To add a master zone:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Click Add beneath the Zones list.
5 Enter a zone name.
The zone name must have a trailing period: “example.com.”
6 Choose Master from the Zone Type pop-up menu.
7 Enter the hostname of the domain’s SOA.
If this computer will be the authoritative name server for the domain, enter the
computer’s hostname (with a trailing period). For example, “ns.example.com.”
8 Enter the email address of the zone’s administrator.
The email address must not have an “@”, but a period; it should also have a trailing
period. For example, the email address “admin@example.com” should be entered as
“admin.example.com.” (Remember to leave the trailing period.)
9 Click OK and then click Save.
Adding a Slave Zone
A slave zone is a copy of a master zone stored on a slave or secondary name server.
Slaves must be configured to request the copy of the master zone’s data. Slave zones
use zone transfers to get copies of the master zone data.
To add a slave zone:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Click Add beneath the Zones list.
5 Enter a zone name.
The Zone name must have a trailing period: “example.com.”
6 Choose Slave from the Zone Type pop-up menu.
7 Click OK.
8 Click Add under the “Master servers for backup” pane.
9 Enter the IP addresses for the master servers for this zone.
10 Click Save.
Chapter 2 DNS Service 23
Adding a Forward Zone
A forward zone directs all lookup requests to other DNS servers.
To add a forward zone:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Click Add beneath the Zones list.
5 Enter a zone name.
The Zone name must have a trailing period: “example.com.”
6 Choose the Forward zone type from the Zone Type pop-up menu.
7 Click OK.
8 Click Add under the “Forward servers for fwd” pane.
9 Enter the IP addresses for the master servers for this zone.
10 Click Save.
Duplicating a Zone
You can create a copy of an existing zone on the same computer. You could use this to
speed up configuration of multiple zones.
To duplicate a zone:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Click the Duplicate button beneath the Zones list.
5 If desired, double-click the newly duplicated zone to change the zone name, SOA or
administrator email address.
6 Click Save.
24 Chapter 2 DNS Service
Modifying a Zone
This section describes modifying a zone’s type and settings but not modifying the
records within a zone. You may need to change a zone’s administrator address, type, or
domain name.
To modify a zone:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Click the Edit button beneath the Zones list.
5 Change the zone name, type, or administrator email address as needed.
For more information on zone types, see “Managing Zones” on page 22.
6 Click OK, and click Save.
Deleting a Zone
The section describes how to delete an existing zone. This deletes the zone and all the
records associated with it.
To delete a zone:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Click the Delete button beneath the Zones list.
5 Click Save to confirm the deletion.
Managing Records
Each zone contains a number of records. These records are requested when a client
computer needs to translate a domain name (like www.example.com) to an IP number.
Web browsers, email clients, and other network applications rely on a zone’s records to
contact the appropriate server.
The master zone’s records will be queried by others across the Internet so they can
connect to your network services. There are several kinds of DNS records. The records
which are available for configuration by Server Admin’s user interface are:
• Address (A): Stores the IP address associated with a domain name.
• Canonical Name (CNAME): Stores the “real name” of a server when given a “nickname”
or alias. For example, mail.apple.com might have a canonical name of
MailSrv473.apple.com.
• Mail Exchanger (MX): Stores the domain name of the computer that is used for email
in a zone.
Chapter 2 DNS Service 25
• Name Server (NS): Stores the authoritative name server for a given zone.
• Pointer (PTR): Stores the domain name of a given IP address (reverse lookup).
• Text (TXT): Stores a text string as a response to a DNS query.
If you need access to other kinds of records, you’ll need to edit BIND’s configuration
files manually. Please see BIND’s documentation for details.
Adding a Record to a Zone
You need to add records for each domain name (example.com) and subdomain name
(machine.example.com) for which the DNS master zone has responsibility. You should
not add records for domain names that this zone doesn’t control.
To add a record:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Select the Zone to which this record will be added.
5 Click the Add button beneath the Records list.
6 Select a record type from the Type pop-up menu.
7 In the first field, enter the fully qualified domain name.
The domain name must have a trailing period: “example.com.”
If you’re creating a PTR record, enter the IP address instead.
If you’re creating a TXT record, enter the text string you want.
8 In the second field, for the following record types, enter:
• A records: the IP address.
• AAAA records: the IPv6 address.
• C-NAME records: the real name of the computer.
• MX records: the name (with trailing period) or IP address of the domain’s mail
exchanger.
• PTR records: the full domain name with trailing period.
9 If creating an A record, select “Create reverse mapping record” to automatically create
its corresponding PTR record.
10 Click OK, and click Save.
26 Chapter 2 DNS Service
Modifying a Record in a Zone
If you make frequent changes to the namespace for the domain, you’ll need to update
the DNS records as often as that namespace changes. Upgrading hardware or adding
to a domain name might require updating the DNS records as well.
To modify a record:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Select the Zone in which this record will be modified.
5 Double-click the record to be modified, or select the record and click the Edit button.
6 Modify the record as needed.
You can change the hostname, record type, or IP number.
7 Click OK.
Deleting a Record From a Zone
You should delete records whenever a domain name is no longer associated with a
working address.
To delete a record:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Zones tab.
4 Select the zone from which this record will be deleted.
5 Select the record to be deleted.
6 Click the Delete button beneath the Records list.
7 Click Save to confirm the deletion.
Chapter 2 DNS Service 27
Monitoring DNS
You may want to monitor DNS status to troubleshoot name resolution problems, check
how often the DNS service is used, or even check for unauthorized or malicious DNS
service use. This section discusses common monitoring tasks for DNS service.
Viewing DNS Service Status
You can check the DNS Status window to see:
• Whether the service is running.
• The version of BIND (the underlying software for DNS) that is running.
• When the service was started and stopped.
• The number of zones allocated.
To view DNS service status:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click the Overview button for general DNS service information.
Viewing DNS Service Activity
You can check the DNS Status window to see:
• The number of transfers running and deferred.
• Whether the service is loading the configuration file.
• If the service is priming.
• Whether query logging is turned on or off.
• The number of Start of Authority (SOA) queries in progress.
To view DNS service activity:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Activity to view operations currently in progress.
Viewing DNS Log Entries
DNS service creates entries in the system log for error and alert messages.
To see DNS log entries:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Log.
Changing DNS Log Detail Levels
You can change the detail level of the DNS service log. You may want a highly detailed
log for debugging, or a less detailed log that only shows critical warnings.
28 Chapter 2 DNS Service
To change the log detail level:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Logging tab.
4 Choose the detail level from the Log Level pop-up menu.
The possible log levels are:
• Critical (less detailed)
• Error
• Warning
• Notice
• Information
• Debug (most detailed)
Changing DNS Log File Location
You can change the location of the DNS service log. You may want to put it somewhere
other than the default path.
To change the log detail level:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Settings.
3 Select the Logging tab.
4 Enter the desired path for the file path for the DNS service log, or select a path using
the Browse button.
If no path is entered, the default location is /var/logs/.
Viewing DNS Usage Statistics
You can check the DNS Statistics window to see statistics on common DNS queries.
Some common DNS queries begin with the following:
• Name Server (NS): Asks for the authoritative name server for a given zone.
• Address (A): Asks for the IP address associated with a domain name.
• Canonical Name (CName): Asks for the “real name” of a server when given a
“nickname” or alias. For example, mail.apple.com might have a canonical name of
MailSrv473.apple.com.
• Pointer (PTR): Asks for the domain name of a given IP address (reverse lookup).
• Mail Exchanger (MX): Asks which computer in a zone is used for email.
• Start Of Authority (SOA): Asks for name server information shared with other name
servers and possibly the email address of the technical contact for this name server.
• Text (TXT): Asks for text records used by the administrator.
Chapter 2 DNS Service 29
To see DNS usage statistics:
1 In Server Admin, choose DNS in the Computer & Services list.
2 Click Activity to view operations currently in progress and usage statistics.
Securing the DNS Server
DNS servers are targeted by malicious computer users (commonly called “hackers”) in
addition to other legitimate Internet servers. There are several kinds of attacks that DNS
servers are susceptible to. By taking extra precautions, you can prevent the problems
and downtime associated with malicious users. There are several kinds of security hacks
associated with DNS service. They’re:
• DNS Spoofing.
• Server Mining.
• DNS Service Profiling.
• Denial-of-Service (DoS).
• Service Piggybacking.
DNS Spoofing
DNS spoofing is adding false data into the DNS Server’s cache. This allows hackers to do
any of the following:
• Redirect real domain name queries to alternative IP Addresses.
For example, a falsified A record for a bank could point a computer user’s browser to
a different IP address that is controlled by the hacker. A duplicate website could fool
him or her into giving their bank account numbers and passwords to the hacker
unintentionally.
Also, a falsified mail record could allow a hacker to intercept mail sent to or from a
domain. If the hacker also forwards those emails to the correct mail server after
copying them, this can go undetected indefinitely.
• Prevent proper domain name resolution and access to the Internet.
This is the most benign of DNS spoof attacks. It merely makes a DNS server appear to
be malfunctioning.
The most effective method to guard against these attacks is vigilance. This includes
maintaining up-to-date software as well as auditing your DNS records regularly. As
exploits are found in the current version of BIND, the exploit is patched and a Security
Update is made available for Mac OS X Server. Apply all such security patches. Regular
audits of your DNS records is also valuable to prevent these attacks.
Server Mining
Server mining is the practice of getting a copy of a complete master zone by
requesting a zone transfer. In this case, a hacker pretends to be a slave zone to another
master zone and requests a copy of all of the master zone’s records.
30 Chapter 2 DNS Service
Loading...