Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Set up DNS behind Airport Base Station with NAT Network
Yesterday I bought an airport base staion. Funny, I've no more wire in my room :) Before, I hosted a web server with dyndns on my mac, and could access to my machine with my own domain name. But since I setup my mac to access the Net over the airport base station I have not been able to "see" my site from outside my wireless network. After reading many comments spread around, I decide to install my own domain name server to resolve my domain whith local IP. We will use BIND to do it. Apple includes it by default on mac os x 10.2 clients.

[Editor's note: Setting up your own DNS can be complicated. As I believe it's beyond my skill set (and I can't risk losing access if I mess up!), I have not tested this hint myself, Please proceed with care if you decide to give it a shot...]

In the following example, the IP address of your airport base station is 10.0.1.1 and the IP address of the Mac OS X machine that will be used as the DNS Server is 10.0.1.2 . Your Airport Base Station is configured to share a single IP address using DHCP or NAT. example.com is the domain name we will setup.

Now it's time to open your Terminal.
  1. Create a new named.conf:
    Save old named.conf:
     % sudo mv /etc/named.conf /etc/named.conf.old
    Create new named.conf:
     % sudo vi /etc/named.conf
    Paste this content:

    ------ Copy Below This Line --------
    // BIND 8.2 Config File 
    //
    // Controls global server configuration options
    // and sets defaults for other statements
    options {
    directory "/var/named";
    notify no;
    forwarders { ipofdns2; ipofdns2; };
    statistics-interval 1;
    version "surely you must be joking";

    };

    // These entries are not specific to any zone
    // They are required by any DNS server

    zone "0.0.127.in-addr.arpa" in {
    type master;
    file "db.127.0.0";
    };

    zone "." in {
    type hint;
    file "db.cache";
    };
    //
    // The following entries are where your zone information is entered
    //

    // This file contains the host names and their correlating IP addresses.

    zone "example.com" in {
    type master;
    file "db.example.com";
    };

    // This file contains the IP addresses and their correlating reverse lookup.

    zone "1.0.10.in-addr.arpa" in {
    type master;
    file "db.10.0.1";
    };
    ------ Copy Above This Line --------

  2. Create address-to-name lookup database file db.10.0.1Type:
     % sudo vi /var/named/db.10.0.0.1
    Paste this content:

    ------ Copy Below This Line --------
    $TTL 38400
    ; db.10.0.1 file
    ;

    1.0.10.in-addr.arpa. IN SOA ns.example.com. admin.bs.example.com. (
    1 ; Serial
    10800 ; Refresh after 3 hours
    3600 ; Retry after 1 hour
    604800 ; Expire after 1 week
    86400 ) ; Minimum TTL of 1 day

    ; Name servers

    1.0.10.in-addr.arpa. IN NS ns.example.com.

    ; Addresses point to canonical names

    2.1.0.10.in-addr.arpa. IN PTR ns.example.com.
    3.1.0.10.in-addr.arpa. IN PTR host3.example.com.
    4.1.0.10.in-addr.arpa. IN PTR host4.example.com.
    5.1.0.10.in-addr.arpa. IN PTR host5.example.com.
    6.1.0.10.in-addr.arpa. IN PTR host6.example.com.
    7.1.0.10.in-addr.arpa. IN PTR host7.example.com.
    8.1.0.10.in-addr.arpa. IN PTR host8.example.com.
    9.1.0.10.in-addr.arpa. IN PTR host9.example.com.
    ------ Copy Above This Line --------

    Note: I just added nine hosts in this file; it allow DHCP to give a name to each machine in your network. So you could ping to host4.example.com machine witch IP is 10.0.1.4 . But you could add more hosts.

  3. Create hostname-to-address lookup database file db.example.com
     % sudo vi /var/named/db.example.com
    Paste this content:

    ------ Copy Below This Line --------
    $TTL 86401
    ; db.example.com
    ;
    example.com. IN SOA ns.example.com. admin.ns.example.com. (
    10 ; Serial
    10800 ; Refresh after 3 hours
    3600 ; Retry after 1 hour
    604800 ; Expire after 1 week
    86400 ) ; Minimum TTL of 1 day
    ; Name servers

    example.com. IN NS ns.example.com.

    ; Primary Addresses

    localhost.example.com. IN A 127.0.0.1

    ns.example.com. IN A 10.0.1.2
    example.com IN A 10.0.1.2
    www.example.com IN CNAME 10.0.1.2
    host3.example.com. IN A 10.0.1.3
    host4.example.com. IN A 10.0.1.4
    host5.example.com. IN A 10.0.1.5
    host6.example.com. IN A 10.0.1.6
    host7.example.com. IN A 10.0.1.7
    host8.example.com. IN A 10.0.1.8
    host9.example.com. IN A 10.0.1.9
    ------ Copy Above This Line --------

  4. Copy some files
     % sudo cp /var/named/named.ca /var/named/db.cache
    % sudo cp /var/named/named.local /var/named/db.127.0.0
  5. Last step: modify hostconfig and start BIND service:
    Edit /etc/hostconfig file and enable bind:
     % sudo vi /etc/hostconfig
    Change "DNSSERVER=-NO-" to "DNSSERVER=-YES-", and then save and start bind:
     % sudo /System/Library/StartupItems/BIND/BIND start
Then change your dns server for your machine in network preferences and airport with Airport Admin Utility (Internet tab). Restart your airport base station. Now you can ping your own domain and access it with your browser without problem.

If you want to know more go here:

Apple Support Document
Linux DNS HOWTO

    •    
  • Currently 0.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (0 votes cast)
 
[28,442 views]  

Set up DNS behind Airport Base Station with NAT | 20 comments | Create New Account
Click here to return to the 'Set up DNS behind Airport Base Station with NAT' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Okay, but...
Authored by: john_e on Dec 03, '02 11:02:33AM

Your webserver is behind the Airport now? So the Airport has the public IP? This means that the server is ONLY accessible from within your network. Or does the server have a public IP?
You should be able to use port forwarding on the AirPort to make it visible to the outside AND the inside, or maybe it was never intended for internet use, but rather internal use?

Still, DNS-serving is fun :-)



[ Reply to This | # ]
Okay, but...
Authored by: benoitc on Dec 03, '02 06:40:09PM

In fact you can connect to my domain name from the outside thanks to port forwarding. But when I want to connect to it (the domain name) from a machine in the lan, I can't because there are no reverse mapping on NAT as a lot of nat router. Because I do virtual hosting on apache , I need to access to the domain name. So that's why I setup a DNS server.



[ Reply to This | # ]
I had the same problem.
Authored by: tamenti on Dec 03, '02 11:37:47AM

With my Netgear mr314 router.
I solved it using virtual hosts in apache, wicj I was already using cause ive got two domains hosted at home, and netinfo manager on my work box.
Its a bit less intrusive, and I dont think you can mangle you network too much this way :)



[ Reply to This | # ]
Also Confused
Authored by: cmccarthy on Dec 03, '02 11:41:50AM

Like a previous commenter, I am also confused as to how your setting up your Mac as a DNS server solved your problem of not being able to access your web server from outside your Airport network. You mentioned using a DynDNS hostname for your server before you switched to Airport. I also use a DynDNS hostname: I go to dyndns.org, set the IP address of the hostname to the IP address of the Airport Base Station as assigned by AT&T Broadband's DHCP, and set the Base Station to forward port 80 to my Linux box, whose statically-assigned address is 10.0.1.203.

So, exactly why is running your own DNS server necessary? And, if you are still using a DynDNS hostname, isn't it best not to try to set up your own DNS server for an address in DynDNS's domain? I feel like I must be missing something here. And thanks for good instructions on setting up a DNS server.



[ Reply to This | # ]
Good info but not the solution
Authored by: tobyc on Dec 03, '02 12:23:54PM

Great info on how to set up BIND on your Mac but not the solution to the problem. What you need to do in a situation where your address is being NAT'ed is to set up port forwarding. That is forward all requests from port 80 on the public address to port 80 on the internal private address. This is really easy on an Airport hub just read the help docs.



[ Reply to This | # ]
domain name forwarding??
Authored by: p940e on Dec 03, '02 03:26:03PM

Are there any routers out there that let you use different domain names instead of just different ports??



[ Reply to This | # ]
Good info but not the solution
Authored by: benoitc on Dec 03, '02 06:41:37PM

In fact you can connect to my domain name from the outside thanks to port forwarding. But when I want to connect to it (the domain name) from a machine in the lan, I can't because there are no reverse mapping on NAT as a lot of nat router. Because I do virtual hosting on apache , I need to access to the domain name. So that's why I setup a DNS server.



[ Reply to This | # ]
Why the old version?
Authored by: Lizard_King on Dec 03, '02 04:35:23PM

So 10.2.x comes with BIND 8.2 - that's kewl! BUT (there's always a but, isn't there?), if you're serious about running your own DNS, why wouldn't you use the latest version of BIND. BIND happens to be one of the most vulnerable services that could run on your machine. There also happens to be numerous published exploits/vulerabilites with BIND 8.2.

check it out: http://www.isc.org/products/BIND/bind-security.html

Why not download and run the latest verion (BIND 9.2.1)?

You can grab it here: http://www.isc.org/products/BIND/bind9.html



[ Reply to This | # ]
Why to setup a dns server
Authored by: benoitc on Dec 03, '02 06:56:39PM

When you configure the Airport Base station, you can set it to do port mapping (not port fowarding) on port 80 or any other port to allow a machine from the outside to access to a machine on the lan on this port. So anybody can access to to your domain mydomain.dyndns.org from the outside. Buy when you want to access to mydomain.dyndns.org from a machine behind the Airport Base Station (on the wlan), you can't because there ise no reverse mapping on NAT. And this is often the case with NAT router. So why not to access to the machine with the internal ip if you are on the wlan ?
Because if you do virtual hosting on apache, as I do, you need to access to the domain name nbot the IP.

So that's why I setup a DNS server ;)



[ Reply to This | # ]
Why to setup a dns server
Authored by: physicsGuy on Dec 05, '02 04:22:31AM

I'm still confused. If what you just said makes any sense, your original explanation must have been wrong. In your original, you said you couldn't see your dyndns domain name from OUTSIDE. But now, it sounds like you were having trouble seeing it from inside.

I had the same problem, and first was running macDNS 1.0.4 under classic environment (klugy, I know) as a caching name server with domain resolution on the LAN and caching WAN addresses. Later, I switched to the equiv of a hosts file under netinfo.



[ Reply to This | # ]
Why to setup a dns server
Authored by: benoitc on Dec 09, '02 06:36:23PM

Outside can see my domain name but not my users on the lan. So I decide to install a DNS server that to set internal ip to access to my domain. So this is easy to laptop users to configure their connection.



[ Reply to This | # ]
This is awesome!
Authored by: VHDLBigot on Dec 03, '02 08:00:12PM
I had this exact problem about a month ago. I too bought an Airport and a roaming wireless iBook laptop. My webserver was visible from the outside but the Airport would not forward port requests when they came from inside the house. I can't wait to get this setup. I had posted a question on comp.sys.mac.comm asking if my only solution was to research setting up a local DNS. It sounds like this should get things ironed out. The Movable Type weblog system (which works great with OS X's built in Apache and perl) uses cgi scripts for site management and they require an absolute URL to be prepended. You cannot simply use relative paths as you can for the static content that the cgi generates. If relative paths were sufficient I could have just used 10.0.1.xx. Thanks for the detailed solution. -- Scott BilikFamily.com

[ Reply to This | # ]
This is awesome!
Authored by: legacyb4 on Dec 04, '02 11:44:59PM

As does Scott Turner's MP3 server script (Andromeda) if you want to stream MP3 from your server both inside and outside the router/firewall.



[ Reply to This | # ]
netinfo
Authored by: see on Dec 03, '02 08:13:27PM

why not use netinfo?
or hosts-file?
what's the point?



[ Reply to This | # ]
netinfo
Authored by: benoitc on Dec 04, '02 02:03:33AM

This solution is good if you have 1 or 2 machines on your wlan because you need to setup each machine. And with this solution you should change the configuration on your laptop when you want to access to your wbserver outside.So a DNS Server is, to my mind, the best solution to do it.



[ Reply to This | # ]
netinfo
Authored by: see on Dec 04, '02 06:07:04AM

you set it up in netinfo on one machine and just import the info over netinfo to other machines...there is _no_ reason to set up bind for this. that it's useful to have bind set up anyways is beside the point, it's not imho an appropriate solution for this problem.



[ Reply to This | # ]
netinfo
Authored by: benoitc on Dec 04, '02 06:25:25AM

If you have a laptop, netinfo isn't a good solution, it's easier to add a DNS server to your connection profile than to change netinfo data each time you change your network.



[ Reply to This | # ]
netinfo not sufficient when your machines roam
Authored by: VHDLBigot on Dec 04, '02 06:56:09AM

Exactly right! That was exactly the problem I had. I could have used Netinfo, but my iBook roamed back and forth from home to work. So it was inside and outside the router. Using Netinfo and hardcoding 10.0.1.xx for the local addresses would make the webserver inaccessible when using my laptop from the outside. I was looking for a clean DHCP/DNS solution so that the iBook solution what automatically adjust depending on it's location.



[ Reply to This | # ]
netinfo
Authored by: see on Dec 04, '02 12:57:32PM

what i mean is:
set up all the netinfo on the server you have the webserver on (or some other machine on the lan). this machine exports it's info.
the laptop is setup to lookup in the server above.
there is no difference in how it will work, except that netinfo is running anyway, and setting up bind for this trivial problem is overkill imho.
and for macusers in general it would be easier adding hosts in netinfo than setting up bind.
and since netinfo is set to answer before dns by default its a better choice, otherwise you must have your local ns always first in your setup and will produce chatter och your workplace :)

anyways its a nice little "tutorial" how to easily set up bind...



[ Reply to This | # ]
People, please understand the problem...
Authored by: markd on Feb 21, '03 11:36:29PM
Admittedly few people will need this hint- however, it is the absolute best solution for the situation described by the author (and mine as well).

Some routers, including my Netgear 814 while providing port-forwarding services cannot or will not allow LAN clients to access these forwarded services by domain name.

IE: example.com forwards into my LAN through my Netgear 814, final destination is my iMac. Everything is peachy keen from work or anywhere outside the home LAN. HOWEVER, inside the home LAN attempts to access example.com from my iBook fail.

I was solving this problem by adding an internal LAN IP address for example.com to my /etc/hosts file. The problem with this approach is that everytime I go to work, I must comment out the /etc/hosts entry in order to access example.com.

With this hint, with the DNS server running on the iMac at home, I simply switch Network Locations from the Apple menu, when home and away (I have to do this anyway), and voila everything works perfect.

Again, few people will need this hint, but all this talk of NetInfo and /etc/hosts is not entirely relevant to the situation described in the original post, nor in mine.

Cheers.

[ Reply to This | # ]