DNS rerouting

Discussion in 'Mac OS X Server, Xserve, and Networking' started by philstone, Mar 4, 2013.

  1. macrumors 6502

    Joined:
    Oct 13, 2008
    Location:
    Jersey, Channel Isles
    #1
    I've been searching the internet all weekend but still no joy on this...

    Scenario - we have a server onsite that we want to connect to using full DNS so that the address doesn't change whether its from within the office or externally (e.g. server address will be server.mydomain.com)

    Using AEBS for DHCP (and DNS) although SLS is configured for DNS as well (not really active as no clients are asking the SLS for DNS)
    Is there a way to configure the system so that...

    Internal request for server.mydomain.com forwards to the local IP address rather than going outside the LAN then back in?
    I would prefer to keep the AEBS acting as DHCP server.

    Has anyone else had issues like this before? I know in a Windoze environment this is possible.

    Cheers
     
  2. HenryAZ, Mar 4, 2013
    Last edited: Mar 4, 2013

    macrumors regular

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #2
    I have used internal name servers for this purpose. Set up an internal name server to run the mydomain.com zone, have your DHCP server give out that name server to its local LAN clients, and have the record server.mydomain.com resolve to the internal address.

    Any client then on the LAN will get the internal address. Any client outside (using whatever outside name servers they are provided with) will resolve the external IP.

    The caveat here is your internal clients will look to this internal name server zone for all information regarding the zone. So, if you have records in the zone with external addresses, they will need to be included in the internal zone as well. For example, if your web server is hosted offsite, you will need a record in the internal zone pointing to the external web server. You will need to have correct MX records in the internal zone. Your internal zone will basically be a mirror of the external zone, except for the addresses you want to resolve internally.

    Additionally, you will need to have the internal name server forward requests for everything other than mydomain.com to an external resolver.
     
  3. thread starter macrumors 6502

    Joined:
    Oct 13, 2008
    Location:
    Jersey, Channel Isles
    #3
    Thanks - I already have an internal NS which resolves correctly, however I have to assign the DNS manually to the client as the DHCP on the AEBS is giving itself out as a local DNS server - I can't see a way to change that in the DHCP options on the AEBS? Is there a way?

    Thanks again
     
  4. macrumors regular

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #4
    I cannot answer that very well, as I've never used any access point or router as a DHCP server.

    Usually devices like that give out, as DNS, the DNS they are configured for. Try configuring the AEBS to use the internal name server. As long as the internal server can resolve anything (the internal zone, or forward external requests), this should pose no problem.
     
  5. macrumors regular

    Joined:
    May 12, 2010
    #5
    except for about 2x as many DNS queries as necessary, unless you are going to cache them

    it can make browsing stuff like youtube kinda sucky
     
  6. macrumors regular

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #6
    Why would anyone run a name server with caching turned off to begin with?

    Not to mention the fact that the results will also be cached on each local machine's OS resolver cache.
     
  7. macrumors regular

    Joined:
    May 12, 2010
    #7
    when you are using a CDN you don't really hit domains that are cached
     
  8. macrumors regular

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #8
    If a record is not cached locally, then it needs resolving, for sure. I still don't see your point as to how this applies here. Running a local name server doing its own recursing/resolving is the most efficient way to get the records to your LAN.
     
  9. macrumors regular

    Joined:
    May 12, 2010
    #9
    well, if you use your ISPs DNS server it's going to be quicker for CDN content because it's going to cut down the number of servers queried

    the ISPs DNS is likely faster running on better hardware

    I've read a few people claiming that hitting their ISPs DNS instead of a local server improved the streaming quality for HD youtube videos

    it's gotta be a pretty small time difference, but if you think about the context of streaming, that can be critical at times.
     
  10. macrumors regular

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #10
    :eek: I give up.
     
  11. macrumors regular

    Joined:
    May 12, 2010
    #11
    not exactly sure what you mean by that, but think about it

    if you are trying to resolve blahla.sdlaskln.xjknl.kmcd.cdn.apple.net

    the ISP DNS is going to be able to resolve the name quicker and still not have to relay it back to your DNS to respond to the client, it will respond directly to the client.

    in the context of streaming a video being able to hit the CDN server .5 sec might mean less frames dropped. when a video is being streamed from youtube it's not just from one server, it's from a CDN where each server serves a little and then redirects to another node for more.

    yeah, it's kinda a ridiculous example, but I was just throwing it out there as something I've noticed.
     
  12. macrumors regular

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #12
    I guess we'll just disagree on this. My name server does its own recursing/resolving (no ISP server in the mix). When I query from a client machine on the LAN (query my name server), the response is typically delivered to the client in <150ms. That's my name server, going out on the Internet directly to the authoritative source, and returning with the answer. The portion of the 150ms that is taken in relaying from my name server to my client is probably <5ms. Once I have it cached locally now, the response to my clients is way faster than any other server can provide.

    That 150ms may be slow or fast compared to queries on other Internet connections, but it is my crappy Internet connection and every packet that traverses it has the same latency, whether I am using my name server or someone else's.

    I do not agree that (necessarily) an ISP server provides better performance. Hardware they have to have to handle the query load, for sure, but many of them are still slammed anyway. If the hardware is supporting the query load as it should, the effective time DNS takes is on the network rtt, and the response time of the authoritative server.
     
  13. macrumors regular

    Joined:
    May 12, 2010
    #13
    I only offered one very specific scenario where an ISPs server would provide better performance, so maybe you misunderstood me?
     
  14. macrumors regular

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #14
    I don't think I misunderstood, just disagree :) My experience is the lookup results get back to your LAN quicker with a local name server doing its own recursion.
     
  15. macrumors regular

    Joined:
    May 12, 2010
    #15
    right, except in a scenario where an ISP would have names cached that you otherwise wouldn't, especially if you are going to do your own recursion
     
  16. macrumors regular

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #16
    To me that is the main valid argument that makes sense to take advantage of your ISP's (or a public) name server. The remote name server you use may be faster by having a record cached that you do not have cached yet. But if there is a problematic network path to it, or it is congested, it may be slower even with a cached answer. Depending on the ISP's dedication and support, its cache may also be an easy target for poisoning :)

    The only way to know is to compare response times.

    On a slight thread drift, but related to your YouTube comments, I've been following with interest a discussion on NANOG about certain backbone ISP's throttling YT video streams. Issues you see might not be DNS-related at all :)

    Boy that whole anycasted CDN model is a can of worms.
     
  17. macrumors regular

    Joined:
    May 12, 2010
    #17
    yeah, like I said, it's a very specific and limited scenario where it would be better to forgo your own DNS. any path to your ISPs DNS is likely pretty similar to whatever you would have to do to resolve a name anyway.

    If your ISP has it's cache poisoned, you probably have bigger problems than youtube streams :p

    As for the throttling, that definitely happens, although it's distinct from the situation I'm referring to.

    what's terrible about the CDN is that it's great for cybercrime. compromise one of those hosts and very few analysts are going to notice any unusual http content being served off a node
     

Share This Page