DNS Setting Clarification

[corbywan]

I'm a newb at setting up DNS. I get some of the big picture concepts but have never had to do one myself. This is part of the educational process.

I have a Mac Mini server with SLS. It's behind an Airport Extreme. It is going to perform all services for our organization. Web, mail, pretty much everything it can do it will do. For the A record (Machine) do I put my static public IP or the internal private IP? Is it better to add CNAME (Alias) records for the other services that point to my root domain name (example.com) or A records that point to the public (or private?) IP address? The SLS docs say to use CNAMES but look at dreamhost (who is currently doing my DNS for a couple of domains) it looks like they use A records pointing to the same IP for things like FTP, instead of a CNAME. Is it a matter of preference?

I would also like this machine to become the primary name server for the domain with a coupe of off-site servers as the secondary and third name servers. Is this also an A record? If dreamhost is my registrar and I tell them I'd like ns1.example.com to be the name server, how do they know the IP address of the ns1 box?

Thanks in advance. I am Googling this stuff and trying to educate myself.

 

[belvdr]

I'm a newb at setting up DNS. I get some of the big picture concepts but have never had to do one myself. This is part of the educational process.

I have a Mac Mini server with SLS. It's behind an Airport Extreme. It is going to perform all services for our organization. Web, mail, pretty much everything it can do it will do. For the A record (Machine) do I put my static public IP or the internal private IP? Is it better to add CNAME (Alias) records for the other services that point to my root domain name (example.com) or A records that point to the public (or private?) IP address? The SLS docs say to use CNAMES but look at dreamhost (who is currently doing my DNS for a couple of domains) it looks like they use A records pointing to the same IP for things like FTP, instead of a CNAME. Is it a matter of preference?

Internal or external is decided by who is accessing the DNS server. If external people are going to use it (which is what it sounds like), then you need to use your external address. Now, normally there are separate internal and external DNS servers, because using the external address internally can cause issues. I'd try it first and if you have connection issues, then you need to get separate domains (one for internal and one for external) or use separate DNS servers for external vs internal.

For a business, I'd recommend allowing someone else to handle the external DNS resolution, and you take care of the internal. The beauty of this is you are leaving this to a company that does this day in and day out and usually has a fault tolerant network. Additionally, this means you can have more hosts on the internal domain, without the concern of external users seeing them.

For A vs CNAME, think ahead. If you plan on moving the services to different servers in the near future, then use separate A records. If you plan to leave it all on one box, I'd use one A record and the rest CNAMES. The reasoning is that if you need to change the IP, you change one record and you're done.

I would also like this machine to become the primary name server for the domain with a coupe of off-site servers as the secondary and third name servers. Is this also an A record? If dreamhost is my registrar and I tell them I'd like ns1.example.com to be the name server, how do they know the IP address of the ns1 box?

Thanks in advance. I am Googling this stuff and trying to educate myself.

Yes and no. First you create NS records, and then associated A records for those NS records. So, if your domain is domain.com and you add another NS record for ns2.domain.com, then you need an A record for ns2.domain.com. However, if the NS record is for ns2.anotherdomain.com, then you don't need to add the A record, since you are only authoritative for domain.com, not anotherdomain.com.

When you setup your domain, you specify the nameserver IPs for it, not the name. If you use the name only, nobody will know where you are, so it will all fail.

One concern for a business in this setup is you will have external traffic coming across your internal network. This is a very bad idea, as if someone were to break into any services hosted on your Mini, they are sitting directly on your internal network. They can do whatever they wish without restriction. However, if you are hosting everything on one machine (bad idea), if they hack the Mini, they could have access to your data. I'd separate out the services so that internal and external sit on different machines. Additionally, put in a real firewall, so that the internal and external machines are on different subnets and restrict it so that the DMZ (where external services are hosted) cannot access the internal network.