This comes up at least once every few weeks over in the Apple Support Communities. Someone wants to run an OS X server at home, but they have a dynamic public IP, and either they don’t want to shell out for a static IP, or their ISP doesn’t offer one. While this isn’t an IDEAL situation for OS X server, with a little work you can get a stable setup that works the way you’d expect.
This document assums the following.
- You’re running a 10.6 or 10.7 server
- You have a broadband connection with a dynamic IP
- You’re using an Apple Airport Extreme as your router
- Your Airport Extreme is acting as a DHCP server
Notes: An Apple Time Capsule can be used, however if you plan to run the AFP service on your server, and you want to access that service from outside your network, you will have to disable the file sharing service on your Time Capsule, which kind of defeats the purpose. Other routers/gateways can be used as well, but configuration of other routers/gateways is outside the scope of this document.
If you have set this machine up as an Open Directory master, please export your users and groups via Workgroup Manager, then convert to a standalone directory before making DNS changes.
If you haven’t read HoffmanLabs’ writeup on DNS yet, I suggest you take a break from this document and read up on OS X server and DNS here.
At this point, you should have a pretty good understanding of how DNS works, and the difference between internal and external DNS, right? The big thing you need to understand is that your server, on your local LAN, behind your Airport Extreme (or other gateway) has a static local IP in the 10.0.0.0/8 or 172.16.0.0/12 network blocks. Why shouldn’t you use the 192.168.0.0/16 block? As usual, HoffmanLabs has the answer.
The most important thing to understand here is that there is a difference between how your server is reached from inside your network than outside your network. The following diagram may help.
Think of your Airport Extreme (or other device) as the dividing line between the public and private networks. The first thing we need to do is get the internal DNS configured and working.
This section assumes the following
- You’ve configured OS X server with a static IP address within your network on the same subnet as your DHCP addresses (but OUTSIDE of the DHCP pool)
- You DO NOT already have a registered domain name that you wish to use
The first step to setting up internal DNS is to register a domain name to be used on the public internet. Yes, you read that correctly. You will need to register your domain name with one of the dynamic DNS providers. I use DynDNS, however the instructions should be similar for other dynamic DNS services.
Head here to sign up for a DynDNS pro account: DynDNS Pro.
Register your domain name. For the purposes of this document we will use example.net.
The next thing you need to do is make sure your server is referencing it’s self for DNS queries. In System Preferences > Network, you should already have your configuration set to manual. Replace whatever is in the DNS field with 127.0.0.1 (the loopback address).
Next, open Terminal.
Issue the following command, replacing your sever and domain names where appropriate.
You should see a return that looks something like this:
; <<>> DiG 9.6-ESV-R4-P3 <<>> server.example.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30237 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;server.example.net. IN A ;; ANSWER SECTION: server.example.net. 10800 IN A 10.0.0.5 ;; AUTHORITY SECTION: example.net. 10800 IN NS server.example.net. ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 21 11:45:20 2011 ;; MSG SIZE rcvd: 69
The important things here are that the answer section is returning the correct IP address, and in the last section, the server is 127.0.0.1, which means the server is referencing it’s self.
Next we have to test reverse DNS.
dig -x 10.0.0.5
Again, substitute your server’s IP address. You should see a return that looks like this:
; <<>> DiG 9.6-ESV-R4-P3 <<>> -x 10.0.0.5 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15165 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;184.108.40.206.in-addr.arpa. IN PTR ;; ANSWER SECTION: 220.127.116.11.in-addr.arpa. 10800 IN PTR server.example.net. ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa. 10800 IN NS server.example.net. ;; ADDITIONAL SECTION: server.example.net. 10800 IN A 10.0.0.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 21 11:49:18 2011 ;; MSG SIZE rcvd: 109
Again, the important thing to note here is that 10.0.0.5 is correctly resolving to server.example.net and that the server is referencing it’s self for DNS queries.
Finally, check to make sure the server knows it’s own hostname:
sudo changeip -checkhostname
You should see a return that looks like this:
Primary address = 10.0.0.5 Current HostName = server.example.net DNS HostName = server.example.net The names match. There is nothing to change. dirserv:success = “success”
If it tells you that DNS needs to be repaired, then you most likely didn’t set your server’s hostname correctly. Changing the server’s hostname is actually quite simple. Let’s assume that when setting up your server, you chose a .local hostname. In this case, we’ll assume server.local. To fix this, run the following command, substituting your IP address and hostnames where appropriate.
sudo changeip 10.0.0.5 10.0.0.5 server.local server.example.net
If you’re wondering, the syntax here is:
changeip [old IP] [new IP] [old hostname] [new hostname]
Reboot the server for good measure, then rerun changeip -checkhostname. You should get the expected result.
The next step is to get all of your client machines on your LAN pointing to your OS X server for DNS. If you have any clients that are manually assigned a static address, you will have to point them to your server’s IP in the system preferences pane. For DHCP clients, they pull that information from the DHCP server, in this case your AirPort Extreme.
In AirPort Utility, select your Airport Extreme, and under the Internet pane, go to the TCP/IP tab. Enter your server’s IP address in BOTH DNS fields. Click update, and your Airport Extreme will reboot with the new settings.
Reboot one of your client machines (or renew the DHCP lease) to get the updated DNS server information. Now you can try the same dig commands we used earlier on the client machines to make sure everything is still resolving properly.
The next step is to identify what services you want to make available from OUTSIDE your network, and forward the appropriate ports to your server. For the Airport Extreme, port forwarding is found in Airport Utility under Advanced > Port Mappings.
Apple has a list of ports for most of the services on OS X server available here.
You can test that your ports have been forwarded properly by obtaining your public IP address, going OUTSIDE of your network, and attempting a connection to your server using that public IP address. If you’ve done everything correctly up to this point, then you should be able to make a successful connection.
Dynamic DNS – Finally!
And now, the moment you’ve been waiting for… what you’ve been working so hard towards.
So, you registered your domain (example.net) with a Dynamic DNS provider, right? Great! Now all we have to do is create an A record for server.example.net in your dynamic DNS control panel (instructions for this will vary between providers, and are beyond the scope of this document. The important thing is to use the same server name you used for you local DNS.
The 2nd part of the picture is that the dynamic DNS provider will have a client application that you will install on your server. This will check your public IP, and any time it changes, it will update your A record with the current IP address. Again, configuration instructions will vary depending on your provider.
You now have a FQDN (server.example.net) that resolves to your server both inside and outside your network, even though you’re on a dynamic public IP.
Can’t get it working? I recommend posting a DETAILED description of where you’re getting stuck over on the Apple Support Communities and most likely someone will be able to assist you. It would be a good idea to reference this article in your post so that anyone trying to help you can see what you were trying to do.