Hi Peter,

Thank you so much! 
Could you please elaborate on how to configure the FreeIPA DNS server to forward only non-local-domain queries?

In the DNS Global Configuration there is the Forward policy
Forward first
Forward only
Forwarding disabled

Which one should be used to do what you say below?
Do I need to set a Global forwarder?

Best,
Dave


> On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
> On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote:
>> Hello,
>> I have been trying to set up FreeIPA on an internal CentOS 8 server.
>> I was successful in getting it running, I set up DNS for internal
>> queries.  It worked.  However, when I tried to set up SSL certs I ran
>> into issue.
>>
>> My question is this: 
>> I own a legitimate domain.
>> It is not “hosted”.
>> I have no intention of exposing any of my internal servers to the
>> Internet.
>> How do I go about configuring the DNS at my registrar so that when I
>> configure my internal servers, including FreeIPA, DNS, SSL, email,
>> etc., any requests that go out to the Internet will resolve
>> correctly?
>>
>> Any help or pointers to documentation would be greatly appreciated.
>
> I have freeIPA with DNS over several replication instances running. The
> domains are like yours mostly internal and not to resolve externally.
> Without a lot of boring details, you do not need to register your TLD
> if you just use the domain internally. As long as the resolver your
> internal hosts point to is your authoritative DNS server that FreeIPA
> manages, the clients will get responses as they need.
>
> This requires your server not to just blindly forward all DNS
> externally. I have forward turned off on my domains. This means when a
> client requests a public DNS address, the bind server managed by
> FreeIPA will do a NS lookup to see where the request needs to be sent.
> It's not 1.1.1.1 or similar services doing that. Works great for a
> small network where your domain is 100% internal.
>
> You can have an external NS too and they can provide very different
> answers. Perhaps you just want MX to resolve externally but an ocean of
> internal addresses should not. If someone outside your network tries to
> resolve an address, they will hit the external resolver (not managed by
> FreeIPA!) and only resolve what it knows about.
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure