Thanks Ian, a lot of good pointers in there!
Cheers
Angus
________________________________
From: Ian Willis via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Tuesday, December 28, 2021 12:06:52 AM
To: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Cc: Ian Willis <fedora(a)checksum.net.au>
Subject: [Freeipa-users] Re: DNS and FreeIPA
Hi All,
Angus you appear to be struggling with fundamental concepts of how to manage DNS rather
than how to manage FreeIPA. It appears you've already made design decisions without
understanding the implications. You really need to understand the concept of split brain
DNS and the complications associated with this approach and if delegation provides a
better solution.
1. FreeIPA either needs to manage DNS, or you need to do it manually with a third party
DNS system, or you can run two sets authoritative DNS servers one of which is freeIPA and
the other which could be a third party and manually keep them in sync.
2. If you use FreeIPA to manage DNS in a public manner it will expose the DNS records
of associated hosts. What is the issue with exposing your private IP addresses and
hostnames, they're not routable? Its just security through obscurity, your security
should rely upon stronger foundations.
3. It's not an admins vs devs thing. I'm an admin not a dev you're just
struggling to understand how DNS works and are thrashing around thinking that a point and
click solution will solve this lack of domain expertise. It won't, understand your
requirements and design to them.
Read the BIND documentation, more specifically Split DNS
https://bind9.readthedocs.io/en/latest/<https://emea01.safelinks.prote...
https://bind9.readthedocs.io/en/latest/advanced.html#split-dns<https:/...
In relation to your question.
* You've already decided that you are using a third party DNS provider for the
domain, that's making this harder. You might want to consider delegating a subdomain
of this domain to freeipa to manage as it's more straightforward to take that
approach, especially if you want externally available services. However you need to
understand how Delegation works, as the owner of a domain you can delegate a subdomain to
another set of servers.
* You state that you're not exposing any of your internal servers to the internet.
If this is the case why do you need a public DNS domain? Basically by definition you
don't, so the problem is that you're asking a nonsense question and getting
frustrated by the fact that you're not getting a response that answers you question. I
suspect that the domain will offer some public services and some private services and
that's what you're struggling with. However you haven't articulated this
either.
-----Original Message-----
From: Angus Clarke via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:Angus%20Clarke%20via%20FreeIPA-users%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
Reply-To: FreeIPA users list
<freeipa-users@lists.fedorahosted.org<mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
To: Rafael Jeffman
<rjeffman@redhat.com<mailto:Rafael%20Jeffman%20%3crjeffman@redhat.com%3e>>
Cc: Dave Mintz
<davemintz64@gmail.com<mailto:Dave%20Mintz%20%3cdavemintz64@gmail.com%3e>>,
FreeIPA users list
<freeipa-users@lists.fedorahosted.org<mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.org%3e>>,
Peter Larsen
<peter@peterlarsen.org<mailto:Peter%20Larsen%20%3cpeter@peterlarsen.org%3e>>,
Angus Clarke
<angus@charworth.com<mailto:Angus%20Clarke%20%3cangus@charworth.com%3e>>
Subject: [Freeipa-users] Re: DNS and FreeIPA
Date: Mon, 27 Dec 2021 20:27:14 +0000
Hi Rafael
I appreciate your response but we're (just me?) still lacking in direction as to how
to properly use your software in the real world - to me It feels like an admins vs devs
topic although I could easily be missing something :)
I mention the Microsoft documentation because i haven't found anything on this topic
in RedHat land. I just remember the MS docs being the only source of useful information
when last I checked.
Ok let's try this:
I've just registered
angusclarke.com with a public DNS provider and am ready to deploy
FreeIPA for my corporate network which uses a private IP space. How do I do this?
According to this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
then I should have a domain delegated to me, but I am not a public DNS provider, I'm
just Angus Clarke ... Nor do I want my private IP space available to be looked up in a
public DNS record ... And I'd rather have my private IP records handled by my internal
DNS system - all of this is standard practise for companies and individuals however I dont
think this topic is suitably addressed in the redhat documentation - I see a disconnect in
the recommendation pasted above vs the installation documentation for FreeIPA.
Maybe I've missed it, maybe I can promote the topic here and it can be championed in
the right direction, maybe I can even help on the topic myself.
Regards
Angus
From: Rafael Jeffman <rjeffman(a)redhat.com>
Sent: Monday, 27 December 2021, 8:15 pm
To: Angus Clarke
Cc: FreeIPA users list; Dave Mintz; Peter Larsen
Subject: Re: [Freeipa-users] Re: DNS and FreeIPA
Hello Angus,
On Mon, Dec 27, 2021 at 11:31 AM Angus Clarke
<angus@charworth.com<mailto:angus@charworth.com>> wrote:
Hi Rafael
What is not clear to me is how to integrate FreeIPA with a real public DNS domain, which I
think is what Dave is referring to as he mentioned he owns a legitimate domain. In any
case, AFAIK we're not supposed to use made up domains for internal DNS anymore ...
Although you shouldn't use a domain name you don't own, if your DNS
server is not visible outside of your network, the issues you have with
domain names would be contained to your local network (like not being
able to access
'awellknowsearch.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fawellknowsearch.com%2F&data=04%7C01%7C%7Cd8de39646537493e0f4608d9c98da262%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762432434778672%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3BsMEoMbX8djJhDjPl16uyJHlVnrffc4SWJUMwHL3nQ%3D&reserved=0>'
if you use this domain name in
your own network).
I see the docs talk about
server.idm.example.com<https://emea01.safelinks.protection.outlook.com...
- presumably
example.com<https://emea01.safelinks.protection.outlook.com/?url=http%...
is supposed to be some legitimate DNS domain and
idm.example.com<https://emea01.safelinks.protection.outlook.com/?url=h...
is a delegated subdomain, although this doesn't appear to be explained. Microsoft docs
talk about using delegated subdomains of legitimate public DNS domains for internal
corporate DNS, which is what got me into this train of thought in the first place.
Delegating a subdomain to a private IP (your internal DNS server) and hiding that
delegation with a split view on your public DNS is one way of hiding the subdomain from
public view whilst keeping all your private DNS data private and hosted/managed in house.
Whether you use FreeIPA's DNS for internally hosting
idm.example.com<https://emea01.safelinks.protection.outlook.com/?url=h...
or not is a matter of choice I suppose.
A delegated subdomain is simply a subdomain for which the authoritative
DNS server is not the same as the main domain. I'm not sure about which
Microsoft docs you mention, but on Azure, subdomain delegation might be
required depending on what you want to do on Azure. For private
subdomains, if you have full control of the domain/hosts, there might not
be a need to delegate the subdomain (as in Peter Larsen's message).
Also, if you consider using split view, FreeIPA DNS should not be used, and
if you use an external DNS any configuration should be carried on that DNS
provider, so it is not a matter of configuring DNS within FreeIPA. The
discussion on configuring FreeIPA DNS only makes sense if using FreeIPA's
integrated DNS.
Whilst I'm here and at the opposite end of this topic, I run bad.domain for our
FreeIPA DNS domain (going back years to the original installation) with the realm BAD -
I'm getting a bit uncomfortable about this configuration and wondered if I'll drop
out of support at some point - any thoughts on that? (I surely can't be the only
one!)
I haven't used FreeIPA's DNS.
If you don't use FreeIPA's DNS, there is no problem in using whatever
your DNS nameserver supports, as long as FreeIPA entries are correct
and accessible. You may find which records need to be available with
`ipa dns-update-system-records --dry-run`.
Hope this helps,
Rafael
Thanks
Angus
________________________________
From: Rafael Jeffman via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Sent: Monday, 27 December 2021, 1:31 pm
To: FreeIPA users list
Cc: Dave Mintz; Peter Larsen; Rafael Jeffman
Subject: [Freeipa-users] Re: DNS and FreeIPA
Sorry for the top reply, but this is more an overview about all messages
than a direct answer. Everything here assumes you are using FreeIPA's
integrated DNS.
First, it was suggested that split view DNS is used. Don't do that, as it
is not supported by FreeIPA. Use it only if you manage your own external
DNS, without using FreeIPA to manage entries.
Regarding forwarding DNS queries, the easiest way is to set a global
forwarder. In my home lab I use public ones, like Google and Cloudflare,
and I'm not much concerned about external traffic, so I leave the default
configuration, "forward first", enabled.
You can find more information about the available options here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
A lot more about working with DNS can be found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Regards,
Rafael
On Mon, Dec 27, 2021 at 1:40 AM Dave Mintz via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Hi Peter,
Thank you so much!
Could you please elaborate on how to configure the FreeIPA DNS server to forward only
non-local-domain queries?
In the DNS Global Configuration there is the Forward policy
Forward first
Forward only
Forwarding disabled
Which one should be used to do what you say below?
Do I need to set a Global forwarder?
Best,
Dave
On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote:
> Hello,
> I have been trying to set up FreeIPA on an internal CentOS 8 server.
> I was successful in getting it running, I set up DNS for internal
> queries. It worked. However, when I tried to set up SSL certs I ran
> into issue.
>
> My question is this:
> I own a legitimate domain.
> It is not “hosted”.
> I have no intention of exposing any of my internal servers to the
> Internet.
> How do I go about configuring the DNS at my registrar so that when I
> configure my internal servers, including FreeIPA, DNS, SSL, email,
> etc., any requests that go out to the Internet will resolve
> correctly?
>
> Any help or pointers to documentation would be greatly appreciated.
I have freeIPA with DNS over several replication instances running. The
domains are like yours mostly internal and not to resolve externally.
Without a lot of boring details, you do not need to register your TLD
if you just use the domain internally. As long as the resolver your
internal hosts point to is your authoritative DNS server that FreeIPA
manages, the clients will get responses as they need.
This requires your server not to just blindly forward all DNS
externally. I have forward turned off on my domains. This means when a
client requests a public DNS address, the bind server managed by
FreeIPA will do a NS lookup to see where the request needs to be sent.
It's not 1.1.1.1 or similar services doing that. Works great for a
small network where your domain is 100% internal.
You can have an external NS too and they can provide very different
answers. Perhaps you just want MX to resolve externally but an ocean of
internal addresses should not. If someone outside your network tries to
resolve an address, they will hit the external resolver (not managed by
FreeIPA!) and only resolve what it knows about.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://...
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://emea01....
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure<https://emea01.safelinks.prote...
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://...
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://emea01....
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure<https://emea01.safelinks.prote...
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
_______________________________________________
FreeIPA-users mailing list --
<mailto:freeipa-users@lists.fedorahosted.org>
freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
<mailto:freeipa-users-leave@lists.fedorahosted.org>
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
<
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.f...
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
<
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedora...
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
<
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
<
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure...
https://pagure.io/fedora-infrastructure