Nick Charlton

Providing Internal DNS with OS X Server

Picture the scene: You’ve got a hosted Mac somewhere on the internet, you connect to it via a VPN to access the services you host on it, but you’d like to use domains to refer to these and have them look up correctly.

The solution to this (and to a bunch of similar problems) is to configure a DNS server internally to handle look ups for you. It’ll return internal-relevant IPs for domains (which could in this case be anything).

This is basically a much more specific version of Apple’s “Provide DNS service” article.

During these steps, you’ll need to:

Configure Forwarding Servers

It’s assumed you’ll configure this with whichever the upstream ISP provides. You can do this in’s DNS section under forwarding servers. They might well already be pre-populated.

Configure Lookup Behavior

The lookup behavior defines which networks the DNS server will be available to. You’ll want to configure both “The server itself” and “Clients on the local network” as the screenshot below shows:

DNS Server Lookup Behavior
DNS Server Lookup Behavior

Configure the VPN DNS Settings

Next, switch to the VPN service and configure the local DNS server:

VPN DNS Settings
VPN DNS Settings

(Assuming is the local server IP.)

Create a Zone & Configure it

Switch back to the DNS Service. First, check “Show All Records” in the cog dropdown. Then, “Add Primary Zone”:

Adding the Primary Zone
Adding the Primary Zone

Next, add an A record by selecting “Add Machine Record”:

Adding an A record
Adding an A record


Finally, you can test that this all worked by using dig. On a device connected to the VPN you should get a result like the following:

$ dig

; <<>> DiG 9.8.3-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42105
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;      IN  A

;; ANSWER SECTION:   10800   IN  A

;; AUTHORITY SECTION:        10800   IN  NS

;; Query time: 153 msec
;; WHEN: Mon Jul  6 10:34:46 2015
;; MSG SIZE  rcvd: 64

If you get no result (or it forwards up to the external zone, you won’t see your internal IP listed. This would suggest that the DNS server isn’t specified correctly, or one of the other steps didn’t quite work right.