Thursday, February 14, 2013

Subdomain DNS for VMWare/Hyper-V Virtual Lab on a MAC


I have a Windows 7 VM that I do general development on in addition to writing Java or other code on my Mac.  Sometimes I want to push code from my Windows 7 VM to a virtual Windows Server Lab set of VMs.  Other times I want to write a program on the Mac that communicates with servers in my virtual lab.  Direct IP address connection is always possible across these machines butI want name based address resolution so that I can test software the same way it would be in our data center.

The virtual lab is powered down most of the time so the DNS solution must work well for general internet traffic when that lab's DNS server is unavailable.  

The virtual lab has its own AD server that registers all the Domain members host names and IP addresses. In my case, I have it act as a subdomain of a domain that I have. The subdomain DNS is visible to machines on that private network whether they are in the AD Domain or not.

My Windows 7 development VM and my Windows Server virtual lab run in VMWare Fusion on my MacBook using NAT networking.  This puts them on a non-publicly routable network "behind" my Mac.  Fusion provides DNS support using the same DNS support used by the MAC itself. By default all DNS for non AD Domain machines runs through the Mac.  All DNS for AD Domain machines runs through the AD controller and then through the MAC.

Option 1: Routing all VM DNS through AD/DNS

I didn't use this option because I only run my Virtual Lab part of the time.

One option is to route all the non-domain windows VM's DNS through the AD/DNS controller.  That DNS server acts as the sole DNS system of record for the AD domain, VIRTDEV in the diagram, and forwards all other requests to the internet DNS servers.  You can either set this behavior in the Windows 7 VM directly using the network properties or you can configure Fusion to provide this behavior via DHCP using dhcpd.conf (/Library/Preference/VMWare Fusion/vmnet8/dhcpd.conf)

host MyDevMachine {
    hardware ethernet 00:15:5D:90:84:03;
    option domain-name-servers;

Option 2: Routing DNS through the Mac Using Resolver

I used this option because

  1. The Mac itself can use DNS to access the virtual lab machines by name.
  2. DNS works well whether the virtual lab, with it's DNS, is up or not.  

An alternative is to use the default "through the Host" while routing slightly change the way the MAC resolves addresses.  Normally the Mac uses the DNS servers provided by the host, external, network.  That network doesn't know about our private lan, virtual lab, machines.  We can configure the MAC to use an alternative servers for specific domains while retaining the default behavior for all other domains.  We can configure the AMC to use an alternative server for the VIRTDEV domain in this example.

Unix machines, in genera, use /etc/resolv.conf to tell them where to find their DNS nameservers. This file can be modified through the Network control panel or effectively modified via DHCP at startup.  The Mac can also be configured to use specific DNS servers for specific domains in a way that is unaffected by the control panel or DHCP.  When looking for a DNS server for a domain:

  1. The Mac first looks for a file with that domain name in the /etc/resolver directory.  Assuming that file exists, it uses the server specified in that file to provide DNS namespace to address support.
  2. If step 1 fails then the Mac then looks at the servers in resolv.conf and uses those servers to provide DNS resolution

Configuring the Mac to use Alternative DNS for Specific Subdomains

This must be done with an account that has elevated privileges or the ability to sudo. You can do this with GUI tools or with a shell prompt. 
  1. Create the directory /etc/resolver.  It does not exist, by default.
  2. Create a file with the fully qualified domain name of your virtual lab.  In my example the file name is /etc/resolver/
  3. Add two lines to the file
    1. domain <your domain>
    2. nameserver <ip of your DNS server on the private domain>
The changes are picked automatically up.  You can verify this by using the nslookup command in a terminal window. Here are the contents my /etc/resolver/ file.


Works for Linux Guests and the Mac Itslef

The Mac resolver file approach has works for guests running any operating system that want DNS support for the machines joined to the AD domain independent of their operating systems.  Those guests do not require per VM configuration and do not require custom DHCP nameserver settings in the Fusion dhcpd.conf.  It also works with pre-built VMs or appliances available of the internet.

Options Not Considered

I never considered the option of editing the windows host file or editing the network adapter settings.  This wouldn't work for the Mac itself and it would require that every consumer of that private network/domain be modified to know about the private network's DNS server.  I wanted something that would work for any number of virtual machines without having to modify each individual machine.


Modifying the Mac DNS resolver to support a virtual domain makes it easy to provide support for programs on the Mac, on linux guests and non-AD domain windows machines.   The virtual lab, with its DNS domain, appears to the host and guests as if it is a "real" domain on the internet making it possible to test code the same way you would if you were in your data center or in some cloud deployment.   

No comments:

Post a Comment