On Sun, 2021-12-26 at 23:39 -0500, Dave Mintz wrote:
Thank you so much!
Could you please elaborate on how to configure the FreeIPA DNS server
to forward only non-local-domain queries?
In the DNS Global Configuration there is the Forward policy
Forward first
Forward only
Forwarding disabled
Which one should be used to do what you say below?
Do I need to set a Global forwarder?
Hello Dave,
Others have already pointed you to the documentation where it's
explained. But here's a quick primer on how DNS works from a client
perspective. I'll try to do it short, but that means ignoring quite a
few details.
When a client requests a domain from your DNS server, it first looks to
own records and if it finds an answer there, this is the response sent
back. If not, it will decide if it should forward the request to
another DNS server or do a DNS NS lookup for an authoritative server.
Once found, it sends the request there waiting for a response.
Forward-only is a domain that breaks the default lookup address. So a
particular domain may only be defined locally on a different server,
and using forward-only tells your DNS server to send the request to
this server if it's for that domain.
No forward is when your server does the NS lookup using the ROOT
servers.
Forward-first I never understood the point of. It means if a domain is
found on your system, that the request is first sent to another DNS
server and if it gives up and tells your DNS server "not found", your
server will then see what it has and respond. I don't know of any good
use-cases for this. Perhaps others can help here?
I by far prefer the old but trusted method of using authoritative
lookups. Not that I do that believing I'm not tracked - we all are (at
least in the US) but it makes me relative immune to central failures,
censorship, DNS poison and a lot more. So I keep the forward options
turned off. Only my modem has them, but once booted my DNS servers
take over and things work very fast and reliable.
So your own network only needs ONE dns server - yours. Splitting it can
be required if you have an inside/outside view of your network that
differs. But when you do that, the inside still only sees one DNS, and
the outside only sees one - but they are not the same. The reason is
often that even if the same host should exist outside and inside, you
don't want internal traffic to be routed via an external IP - so you
need those addresses resolved to internal addresses - there's no reason
to query the external system.
//
Peter Larsen