Welcome to the MacNN Forums.

olePigeon · May 15, 2012, 04:56 PM

My DNS server is giving me RFC 1918 errors. Something like this:

view com.apple.ServerAdmin.DNS.public: RFC 1918 response from Internet for 142.57.57.10.in-addr.arpa

It's been doing this for several years and our network administrator doesn't think it's an issue, but it spams it in the log a LOT. The log gets to several hundred MBs a day. I've looked high and low for an answer, and I can only find vague references to RFC 1918 and how to fix it, but it's always from a Linux standpoint and not OS X.

Anyone run into this problem? I also get the error about unable to resolve some URL, but fixes it by reducing it to 512 octets. I'm not a DNS person, so I don't know what's going on.

Another problem is that Time Machine won't work, and I'm convinced it's a DNS issue. It'll work fine until the server gets DNS information, then it'll freeze clients and corrupt LDAP on the server requiring a reinstall.

besson3c · May 15, 2012, 11:26 PM

It looks like it is trying to do a reverse DNS lookup of your private IP on your VLAN and failing, which is not surprising since there aren't RDNS entries for IPs on a private VLAN.

Why do you need to do DNS lookups of your private IP? What is doing these?

olePigeon · May 16, 2012, 11:52 AM

Well, I have two issues. First, I have two servers on our private LAN that need DNS lookup: primary.server. and backup.server. If I don't set 10.0.0.0/8 to accept recursive queries, then nothing can access those services via their domain name, only IP.

My zones are set up correctly, I think.
Also, even though I have forwarder IP addresses set up for DNS that points to our primary DNS server, DNS takes an extraordinary amount of time to resolve unless I have said 10 net set to accept recursive queries.

I don't know what else to do. I'll try and post some pictures of my setup, maybe that'll help. Someone can point out what it is I'm doing wrong since, honestly, I don't know what I'm doing.

olePigeon · May 16, 2012, 12:28 PM

Our primary DNS is not aware of our local servers. I did not set it up that way. That's why I need this a local DNS server. I want the students to be able to just type in: afp://server.egan to get to their documents. Also, backups point to, obviously, backup.egan (as does DeployStudio.)

I fix computers, I'm not a system administrator. So this is new territory for me. However, I'm having to pick up more and more responsibilities. I tried to follow tutorials online.

This is how I have it set up:

besson3c · May 16, 2012, 02:21 PM

Originally Posted by olePigeon

Well, I have two issues. First, I have two servers on our private LAN that need DNS lookup: primary.server. and backup.server. If I don't set 10.0.0.0/8 to accept recursive queries, then nothing can access those services via their domain name, only IP.

My zones are set up correctly, I think.
Also, even though I have forwarder IP addresses set up for DNS that points to our primary DNS server, DNS takes an extraordinary amount of time to resolve unless I have said 10 net set to accept recursive queries.

I don't know what else to do. I'll try and post some pictures of my setup, maybe that'll help. Someone can point out what it is I'm doing wrong since, honestly, I don't know what I'm doing.

First of all, are you aware that you can create domain -> IP mappings ala DNS entries for the machines using your /etc/hosts file? DNS entries for private IPs are fine too, I'm just adding this info in case it is useful. Sometimes it is easier to create entries in /etc/hosts than it is to run a DNS server, especially if we are just talking about a few entries.

DNS lookups can take a very long time if a DNS server is unreachable.

Providing bigger picture info on what you are trying to do here would help, yeah...

besson3c · May 16, 2012, 02:26 PM

Originally Posted by olePigeon

Our primary DNS is not aware of our local servers. I did not set it up that way. That's why I need this a local DNS server. I want the students to be able to just type in: afp://server.egan to get to their documents. Also, backups point to, obviously, backup.egan (as does DeployStudio.)

I fix computers, I'm not a system administrator. So this is new territory for me. However, I'm having to pick up more and more responsibilities. I tried to follow tutorials online.

This is how I have it set up:

From one of the client machines, can they contact your DNS server to do a lookup via:

host server.egan. [dns server IP]

If not, check your firewall rules for the server, make sure the bind daemon is running, etc. Try the same test from the server.

Again, if the /etc/hosts route is viable for you, this definitely makes things far simpler.

olePigeon · May 16, 2012, 03:36 PM

Originally Posted by besson3c

First of all, are you aware that you can create domain -> IP mappings ala DNS entries for the machines using your /etc/hosts file? DNS entries for private IPs are fine too, I'm just adding this info in case it is useful. Sometimes it is easier to create entries in /etc/hosts than it is to run a DNS server, especially if we are just talking about a few entries.

That wouldn't be an easy thing to do. I'm administering 350+ laptops and probably another 40 desktop machines. Close to 400 computers all together.

Originally Posted by besson3c

DNS lookups can take a very long time if a DNS server is unreachable.

Yeah, that's what I figured was happening, and it would explain why I couldn't reach main and backup servers via their domain name. I'm just confused about what to put in the recursive queries. If I put the whole 10 net, then I start getting RFC 1918 errors.

besson3c · May 16, 2012, 04:00 PM

Originally Posted by olePigeon

That wouldn't be an easy thing to do. I'm administering 350+ laptops and probably another 40 desktop machines. Close to 400 computers all together.

Yeah, that's what I figured was happening, and it would explain why I couldn't reach main and backup servers via their domain name. I'm just confused about what to put in the recursive queries. If I put the whole 10 net, then I start getting RFC 1918 errors.

You don't need reverse DNS entries for your private IP addresses. In fact, I would remove them, they are completely unnecessary. RDNS lookups are useful for spam checks and stuff when you want to confirm ownership of an IP address/block, but an RDNS entry is not required for most things, and definitely not required for private IP addresses since nobody "owns" private IPs the way they do public IPs.

If you can query your DNS server and have it resolve requests to non-authoritative domains, say google.com or something, than the forwarding is working and your work is done.

At this point, I'd focus on troubleshooting your connectivity to the DNS server once you've removed your RDNS entries for your private IPs. Use the "host" tool in your terminal, as described.