Hi, Firstly, please note I’m a Linux beginner - please presume nothing!
I have installed a Suse Leap 42.1 machine as a server. It’s running mail services (postfix, Dovecot) all fine. Now I have a server, I want to use it for DNS - internally, and to fwd DNS for external sites. I have installed the DNS server and configured it, but I have this issue.
The server can ping mail.domain.com correctly (itself). However, the workstations (Mostly windows, but also Ipads, Andriod etc) get DHCP and DNS from the server, but they resolve all addresses from my ISP DNS machines which I have set as forwarders. This means that from inside, the mail.domain.com resolves to my fixed IP address outside my router, rather than direct to the server. They only work for mail, therefore, from outside my LAN. I’ve been going around in circles a bit with this, any help would be appreciated.
Thanks
Matt
Your description is probably a bit inaccurate but I think I know what you want.
Unless you can configure your ISP’s DNS (highly unlikely) you can’t configure those DNS as forwarders.
By definition, when a DNS is configured as a forwarder, when it can’t provide a result for a client’s request then the request is forwarded to another DNS server upstream.
It’s OK for your mail server’s address to be a public IP address, and assuming that your mail domain is identical to a registered FQDN(not always a given but most common configuration), any public DNS including your ISP’s DNS should be able to resolve your mail server’s address. Since you say your LAN clients are configured to point to your ISP’s DNS which almost certainly are configured as Forwarders and also likely caching, your LAN clients will successfully be able to resolve the public address of your mail server.
But,
You seem to be saying that you want your LAN clients to point to your mail server’s internal IP address instead of the external address?
Although that ordinarily shouldn’t be necessary, this can be accomplished easily…
Setup a working DNS server of your own, forwarding and caching.
Obtain all the public records of your public FQDN which is the same as your mail domain.
Create a new zone which is identical to your public DNS zone in your own DNS.
Modify the mail record to point to your mail server LAN IP address. All other records should remain identical to your existing public DNS records.
The result of the above is to “poison” your DNS zone intentionally (It’s bad when your public DNS is illegally hacked, it’s good when it’s done intentionally with good purpose which is the case here). When your LAN clients point to your own DNS, the DNS will look at its own local zones and records and discover valid results to return to your clients so will not forward the request upstream to public DNS. This configuration is also often referred to as a “split-brain dns.”
Note, that this is just one solution for what you’re setting up.
You can also secure mail servers placed in a firewall DMZ with appropriate configurations pointing publicly vs privately as well.
Sorry I was not clear enough in my description. This is a simple LAN with a single NAT router, with a single static IP address, and a single internal server.
I HAVE setup the internal DNS Server, with Zone for internal domain, and A records for IMAP.domain.com, Mail.domain.com and SMTP.domain.com, all pointing to the internal server IP address, 192.168.1.100. It appears to be loading ok. The forwarders are the ISP’s DNS addresses
The Workstations are receiving the correct DNS IP (The internal server one) from DHCP (from the same server) and are pointing at the internal DNS server as their DNS source, as they should.
However, when they try to ping, for example, mail.domain.com, the response is the EXTERNAL ip, not the internal one as it should be. At this point I presume that the internal DNS server id not serving the A records I entered, and is forwarding the request to the ISP DNS (as it should for any name it can’t resolve). But it SHOULD be able to serve up the A records I have entered. I must have made a mistake in the DNS config on the internal server somewhere, but at this point I have not been able to find it.
A ping directly from the internal server Konsole works fine - the Server itself resolves the names correctly, just not when asked via DNS by a client…
Is that any clearer?
it’s 11pm here now, and I’m off - perhaps I’ll think more clearly tomorrow!
Some NAT routers allow you to configure the DNS server in the router. Then, when each client computer picks up an IP address to use on the LAN, it is given the configured DNS server. That’s the easy way of setting them up to use your own DNS server. If your router doesn’t do that, then you have to individually configure DNS on each computer on the LAN.
Keep in mind that there is a downside to this. If the computer that you are using as a DNS server goes down, then all client computers lose DNS. I always found it better to use the ISP DNS on most client computers, and only use my own DNS on the one system.
Or, as I think the OP is doing, you can run DCHP as well as DNS on the server. The DHCP server should provide the DNS info for the (DHCP enabled) clients.
Keep in mind that there is a downside to this. If the computer that you are using as a DNS server goes down, then all client computers lose DNS. I always found it better to use the ISP DNS on most client computers, and only use my own DNS on the one system.
My own preference at home is to have a local DNS server… Here is one scenario I had. I was running a web site from home. Local PCs needed to use the local IP address for eg www.mydomain.com. I think way to achieve that using the ISPs DNS would be to configure a local hosts file on every PC?
For a mail server record,
You need to identify it not only with an A record (as a general Host) but also with with an MX record(identifying the record as pointing to a mail server).
You should also check the hostname server resolution configuration of your client machines,
cat /etc/resolv.conf
and possibly the following which identifies the server your client is connecting to
nslookup
server
Then two things you might consider doing…
Test resolving the mail server name again using nslookup, by just typing the name
mail.domain.com
If your clients aren’t already properly pointed to your local DNS, you can at least test whether you DNS Server is serving records correctly by temporarily forcing your own DNS temporarily with the following followed by testing your mail server resolution again
Thanks for your response. Yes, I could simply configure local hosts on each PC and device. However, then when I have visitors, they don’t have the correct config automatically on my wifi.
I run a mail server inside, for my extended family, and I plan to move my online store to this server, as well as a public forum that I run. I’d like the config to be correct
Thanks again TSU, sometimes it just helps to “speak” with someone else.
Yep, absolutely I understand you need an MX record to send mail. However, at this point the workstations cannot resolve the name, so there is something wrong with DNS.
Your second point, client machines resolve files - the machines are windows, not Linux, so hosts file. I don’t want to have to manually edit these to make it go (that is what I have done in the meantime while I work this out). For testing (on the machine I’m writing this on) I remark out the server names from the hosts file, so it’s empty, but for the localhost setting.
Third point. This is closer to the issue. Nslookup from the client produces;
I would guess this is because you haven’t got reverse DNS set up. It seems to be getting the correct IP address for DNS though and you don’t need reverse DNS for this to work for you.
Maybe I’ll come up with some DNS things for you to look at later but my own mind is a bit blank atm.
If finds itself;
> server
Default server: 127.0.0.1
Address: 127.0.0.1#53
Default server: 192.168.1.100
Address: 192.168.1.100#53
Default server: 202.180.64.10
Address: 202.180.64.10#53
Seems right to me?
BUT - now I think I’m getting somewhere - I tried to get the server to resolve mail.domain.com - using nslookup - and I got;
> mail.XXXXX.com
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; Got SERVFAIL reply from 192.168.1.100, trying next server
Server: 202.180.64.10
Address: 202.180.64.10#53
Non-authoritative answer:
Name: mail.XXXXXX.com
Address: (got external IP here)
OK, fixed. Stupid really (as I suspected!) config issue - I had forgotton to put servername.domain.com in the zone file as an A record. Added that to the zone, all works.
Thanks for the help above everyone.
The message about cannot write to named dir is still there, but does not seem to effect anything.
