1:16 p.m.
Hello,
I have been trying to set up FreeIPA on an internal CentOS 8 server. I was successful in
getting it running, I set up DNS for internal queries. It worked. However, when I tried
to set up SSL certs I ran into issue.
My question is this:
I own a legitimate domain.
It is not “hosted”.
I have no intention of exposing any of my internal servers to the Internet.
How do I go about configuring the DNS at my registrar so that when I configure my internal
servers, including FreeIPA, DNS, SSL, email, etc., any requests that go out to the
Internet will resolve correctly?
Any help or pointers to documentation would be greatly appreciated.
Dave
3:39 p.m.
Hi
You could host split view dns so as to only give responses to queries from certain (your)
IP addresses, thus hiding your private DNS information from general public queries.
Similarly yet more succinctly, you could use a subdomain and delegate the DNS for that to
a private IP in your network, again using a split view so that the delegation is only
resolvable from certain (your) IPs. This way your private DNS records are fully internal
(your DNS server) under a subdomain.
I've not yet done this myself but have considered this kind of setup (subdomain
delegation) for some future company DNS implementation.
Regards
Angus
________________________________
From: Dave Mintz via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Sunday, 26 December 2021, 8:16 pm
To: freeipa-users(a)lists.fedorahosted.org
Cc: Dave Mintz
Subject: [Freeipa-users] DNS and FreeIPA
Hello,
I have been trying to set up FreeIPA on an internal CentOS 8 server. I was successful in
getting it running, I set up DNS for internal queries. It worked. However, when I tried
to set up SSL certs I ran into issue.
My question is this:
I own a legitimate domain.
It is not “hosted”.
I have no intention of exposing any of my internal servers to the Internet.
How do I go about configuring the DNS at my registrar so that when I configure my internal
servers, including FreeIPA, DNS, SSL, email, etc., any requests that go out to the
Internet will resolve correctly?
Any help or pointers to documentation would be greatly appreciated.
Dave
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.f...
List Guidelines:
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedora...
List Archives:
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....
Do not reply to spam on the list, report it:
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure...
9 p.m.
On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote:
Hello,
I have been trying to set up FreeIPA on an internal CentOS 8 server.
I was successful in getting it running, I set up DNS for internal
queries. It worked. However, when I tried to set up SSL certs I ran
into issue.
My question is this:
I own a legitimate domain.
It is not “hosted”.
I have no intention of exposing any of my internal servers to the
Internet.
How do I go about configuring the DNS at my registrar so that when I
configure my internal servers, including FreeIPA, DNS, SSL, email,
etc., any requests that go out to the Internet will resolve
correctly?
Any help or pointers to documentation would be greatly appreciated.
I have freeIPA with DNS over several replication instances running. The
domains are like yours mostly internal and not to resolve externally.
Without a lot of boring details, you do not need to register your TLD
if you just use the domain internally. As long as the resolver your
internal hosts point to is your authoritative DNS server that FreeIPA
manages, the clients will get responses as they need.
This requires your server not to just blindly forward all DNS
externally. I have forward turned off on my domains. This means when a
client requests a public DNS address, the bind server managed by
FreeIPA will do a NS lookup to see where the request needs to be sent.
It's not 1.1.1.1 or similar services doing that. Works great for a
small network where your domain is 100% internal.
You can have an external NS too and they can provide very different
answers. Perhaps you just want MX to resolve externally but an ocean of
internal addresses should not. If someone outside your network tries to
resolve an address, they will hit the external resolver (not managed by
FreeIPA!) and only resolve what it knows about.
10:39 p.m.
Hi Peter,
Thank you so much!
Could you please elaborate on how to configure the FreeIPA DNS server to forward only
non-local-domain queries?
In the DNS Global Configuration there is the Forward policy
Forward first
Forward only
Forwarding disabled
Which one should be used to do what you say below?
Do I need to set a Global forwarder?
Best,
Dave
On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote:
> Hello,
> I have been trying to set up FreeIPA on an internal CentOS 8 server.
> I was successful in getting it running, I set up DNS for internal
> queries. It worked. However, when I tried to set up SSL certs I ran
> into issue.
>
> My question is this:
> I own a legitimate domain.
> It is not “hosted”.
> I have no intention of exposing any of my internal servers to the
> Internet.
> How do I go about configuring the DNS at my registrar so that when I
> configure my internal servers, including FreeIPA, DNS, SSL, email,
> etc., any requests that go out to the Internet will resolve
> correctly?
>
> Any help or pointers to documentation would be greatly appreciated.
I have freeIPA with DNS over several replication instances running. The
domains are like yours mostly internal and not to resolve externally.
Without a lot of boring details, you do not need to register your TLD
if you just use the domain internally. As long as the resolver your
internal hosts point to is your authoritative DNS server that FreeIPA
manages, the clients will get responses as they need.
This requires your server not to just blindly forward all DNS
externally. I have forward turned off on my domains. This means when a
client requests a public DNS address, the bind server managed by
FreeIPA will do a NS lookup to see where the request needs to be sent.
It's not 1.1.1.1 or similar services doing that. Works great for a
small network where your domain is 100% internal.
You can have an external NS too and they can provide very different
answers. Perhaps you just want MX to resolve externally but an ocean of
internal addresses should not. If someone outside your network tries to
resolve an address, they will hit the external resolver (not managed by
FreeIPA!) and only resolve what it knows about.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
6:24 a.m.
Hi,
the various settings are explained in DNS forward policies in IdM
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
.
By default, the DNS server does not forward queries if they are related to
a zone for which it is authoritative (=for zones listed in *ipa
dnszone-find*). For other zones:
- if they are defined as a forward zone (configured with *ipa
dnsforwardzone-add*), the zone forwarder/policy is used
- if they are not defined as a forward zone, the general configuration
applies (global forwarder and global policy or per-server forwarder and
policy if they exist).
flo
On Mon, Dec 27, 2021 at 5:40 AM Dave Mintz via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi Peter,
Thank you so much!
Could you please elaborate on how to configure the FreeIPA DNS server to
forward only non-local-domain queries?
In the DNS Global Configuration there is the Forward policy
Forward first
Forward only
Forwarding disabled
Which one should be used to do what you say below?
Do I need to set a Global forwarder?
Best,
Dave
> On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
>
> On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote:
>> Hello,
>> I have been trying to set up FreeIPA on an internal CentOS 8 server.
>> I was successful in getting it running, I set up DNS for internal
>> queries. It worked. However, when I tried to set up SSL certs I ran
>> into issue.
>>
>> My question is this:
>> I own a legitimate domain.
>> It is not “hosted”.
>> I have no intention of exposing any of my internal servers to the
>> Internet.
>> How do I go about configuring the DNS at my registrar so that when I
>> configure my internal servers, including FreeIPA, DNS, SSL, email,
>> etc., any requests that go out to the Internet will resolve
>> correctly?
>>
>> Any help or pointers to documentation would be greatly appreciated.
>
> I have freeIPA with DNS over several replication instances running. The
> domains are like yours mostly internal and not to resolve externally.
> Without a lot of boring details, you do not need to register your TLD
> if you just use the domain internally. As long as the resolver your
> internal hosts point to is your authoritative DNS server that FreeIPA
> manages, the clients will get responses as they need.
>
> This requires your server not to just blindly forward all DNS
> externally. I have forward turned off on my domains. This means when a
> client requests a public DNS address, the bind server managed by
> FreeIPA will do a NS lookup to see where the request needs to be sent.
> It's not 1.1.1.1 or similar services doing that. Works great for a
> small network where your domain is 100% internal.
>
> You can have an external NS too and they can provide very different
> answers. Perhaps you just want MX to resolve externally but an ocean of
> internal addresses should not. If someone outside your network tries to
> resolve an address, they will hit the external resolver (not managed by
> FreeIPA!) and only resolve what it knows about.
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
6:30 a.m.
Sorry for the top reply, but this is more an overview about all messages
than a direct answer. Everything here assumes you are using FreeIPA's
integrated DNS.
First, it was suggested that split view DNS is used. Don't do that, as it
is not supported by FreeIPA. Use it only if you manage your own external
DNS, without using FreeIPA to manage entries.
Regarding forwarding DNS queries, the easiest way is to set a global
forwarder. In my home lab I use public ones, like Google and Cloudflare,
and I'm not much concerned about external traffic, so I leave the default
configuration, "forward first", enabled.
You can find more information about the available options here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
A lot more about working with DNS can be found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Regards,
Rafael
On Mon, Dec 27, 2021 at 1:40 AM Dave Mintz via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi Peter,
Thank you so much!
Could you please elaborate on how to configure the FreeIPA DNS server to
forward only non-local-domain queries?
In the DNS Global Configuration there is the Forward policy
Forward first
Forward only
Forwarding disabled
Which one should be used to do what you say below?
Do I need to set a Global forwarder?
Best,
Dave
> On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
>
> On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote:
>> Hello,
>> I have been trying to set up FreeIPA on an internal CentOS 8 server.
>> I was successful in getting it running, I set up DNS for internal
>> queries. It worked. However, when I tried to set up SSL certs I ran
>> into issue.
>>
>> My question is this:
>> I own a legitimate domain.
>> It is not “hosted”.
>> I have no intention of exposing any of my internal servers to the
>> Internet.
>> How do I go about configuring the DNS at my registrar so that when I
>> configure my internal servers, including FreeIPA, DNS, SSL, email,
>> etc., any requests that go out to the Internet will resolve
>> correctly?
>>
>> Any help or pointers to documentation would be greatly appreciated.
>
> I have freeIPA with DNS over several replication instances running. The
> domains are like yours mostly internal and not to resolve externally.
> Without a lot of boring details, you do not need to register your TLD
> if you just use the domain internally. As long as the resolver your
> internal hosts point to is your authoritative DNS server that FreeIPA
> manages, the clients will get responses as they need.
>
> This requires your server not to just blindly forward all DNS
> externally. I have forward turned off on my domains. This means when a
> client requests a public DNS address, the bind server managed by
> FreeIPA will do a NS lookup to see where the request needs to be sent.
> It's not 1.1.1.1 or similar services doing that. Works great for a
> small network where your domain is 100% internal.
>
> You can have an external NS too and they can provide very different
> answers. Perhaps you just want MX to resolve externally but an ocean of
> internal addresses should not. If someone outside your network tries to
> resolve an address, they will hit the external resolver (not managed by
> FreeIPA!) and only resolve what it knows about.
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
8:31 a.m.
Hi Rafael
What is not clear to me is how to integrate FreeIPA with a real public DNS domain, which I
think is what Dave is referring to as he mentioned he owns a legitimate domain. In any
case, AFAIK we're not supposed to use made up domains for internal DNS anymore ...
I see the docs talk about server.idm.example.com - presumably example.com is supposed to
be some legitimate DNS domain and idm.example.com is a delegated subdomain, although this
doesn't appear to be explained. Microsoft docs talk about using delegated subdomains
of legitimate public DNS domains for internal corporate DNS, which is what got me into
this train of thought in the first place.
Delegating a subdomain to a private IP (your internal DNS server) and hiding that
delegation with a split view on your public DNS is one way of hiding the subdomain from
public view whilst keeping all your private DNS data private and hosted/managed in house.
Whether you use FreeIPA's DNS for internally hosting idm.example.com or not is a
matter of choice I suppose.
Whilst I'm here and at the opposite end of this topic, I run bad.domain for our
FreeIPA DNS domain (going back years to the original installation) with the realm BAD -
I'm getting a bit uncomfortable about this configuration and wondered if I'll drop
out of support at some point - any thoughts on that? (I surely can't be the only
one!)
I haven't used FreeIPA's DNS.
Thanks
Angus
________________________________
From: Rafael Jeffman via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Monday, 27 December 2021, 1:31 pm
To: FreeIPA users list
Cc: Dave Mintz; Peter Larsen; Rafael Jeffman
Subject: [Freeipa-users] Re: DNS and FreeIPA
Sorry for the top reply, but this is more an overview about all messages
than a direct answer. Everything here assumes you are using FreeIPA's
integrated DNS.
First, it was suggested that split view DNS is used. Don't do that, as it
is not supported by FreeIPA. Use it only if you manage your own external
DNS, without using FreeIPA to manage entries.
Regarding forwarding DNS queries, the easiest way is to set a global
forwarder. In my home lab I use public ones, like Google and Cloudflare,
and I'm not much concerned about external traffic, so I leave the default
configuration, "forward first", enabled.
You can find more information about the available options here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
A lot more about working with DNS can be found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Regards,
Rafael
On Mon, Dec 27, 2021 at 1:40 AM Dave Mintz via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Hi Peter,
Thank you so much!
Could you please elaborate on how to configure the FreeIPA DNS server to forward only
non-local-domain queries?
In the DNS Global Configuration there is the Forward policy
Forward first
Forward only
Forwarding disabled
Which one should be used to do what you say below?
Do I need to set a Global forwarder?
Best,
Dave
On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote:
> Hello,
> I have been trying to set up FreeIPA on an internal CentOS 8 server.
> I was successful in getting it running, I set up DNS for internal
> queries. It worked. However, when I tried to set up SSL certs I ran
> into issue.
>
> My question is this:
> I own a legitimate domain.
> It is not “hosted”.
> I have no intention of exposing any of my internal servers to the
> Internet.
> How do I go about configuring the DNS at my registrar so that when I
> configure my internal servers, including FreeIPA, DNS, SSL, email,
> etc., any requests that go out to the Internet will resolve
> correctly?
>
> Any help or pointers to documentation would be greatly appreciated.
I have freeIPA with DNS over several replication instances running. The
domains are like yours mostly internal and not to resolve externally.
Without a lot of boring details, you do not need to register your TLD
if you just use the domain internally. As long as the resolver your
internal hosts point to is your authoritative DNS server that FreeIPA
manages, the clients will get responses as they need.
This requires your server not to just blindly forward all DNS
externally. I have forward turned off on my domains. This means when a
client requests a public DNS address, the bind server managed by
FreeIPA will do a NS lookup to see where the request needs to be sent.
It's not 1.1.1.1 or similar services doing that. Works great for a
small network where your domain is 100% internal.
You can have an external NS too and they can provide very different
answers. Perhaps you just want MX to resolve externally but an ocean of
internal addresses should not. If someone outside your network tries to
resolve an address, they will hit the external resolver (not managed by
FreeIPA!) and only resolve what it knows about.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://...
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://emea01....
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure<https://emea01.safelinks.prote...
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://...
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://emea01....
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure<https://emea01.safelinks.prote...
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
1:10 p.m.
On Sun, 2021-12-26 at 23:39 -0500, Dave Mintz wrote:
Thank you so much!
Could you please elaborate on how to configure the FreeIPA DNS server
to forward only non-local-domain queries?
In the DNS Global Configuration there is the Forward policy
Forward first
Forward only
Forwarding disabled
Which one should be used to do what you say below?
Do I need to set a Global forwarder?
Hello Dave,
Others have already pointed you to the documentation where it's
explained. But here's a quick primer on how DNS works from a client
perspective. I'll try to do it short, but that means ignoring quite a
few details.
When a client requests a domain from your DNS server, it first looks to
own records and if it finds an answer there, this is the response sent
back. If not, it will decide if it should forward the request to
another DNS server or do a DNS NS lookup for an authoritative server.
Once found, it sends the request there waiting for a response.
Forward-only is a domain that breaks the default lookup address. So a
particular domain may only be defined locally on a different server,
and using forward-only tells your DNS server to send the request to
this server if it's for that domain.
No forward is when your server does the NS lookup using the ROOT
servers.
Forward-first I never understood the point of. It means if a domain is
found on your system, that the request is first sent to another DNS
server and if it gives up and tells your DNS server "not found", your
server will then see what it has and respond. I don't know of any good
use-cases for this. Perhaps others can help here?
I by far prefer the old but trusted method of using authoritative
lookups. Not that I do that believing I'm not tracked - we all are (at
least in the US) but it makes me relative immune to central failures,
censorship, DNS poison and a lot more. So I keep the forward options
turned off. Only my modem has them, but once booted my DNS servers
take over and things work very fast and reliable.
So your own network only needs ONE dns server - yours. Splitting it can
be required if you have an inside/outside view of your network that
differs. But when you do that, the inside still only sees one DNS, and
the outside only sees one - but they are not the same. The reason is
often that even if the same host should exist outside and inside, you
don't want internal traffic to be routed via an external IP - so you
need those addresses resolved to internal addresses - there's no reason
to query the external system.
//
Peter Larsen
845
days inactive
846
days old
freeipa-users@lists.fedorahosted.org
7 comments
5 participants
participants (5)
-
Angus Clarke -
Dave Mintz -
Florence Blanc-Renaud -
Peter Larsen -
Rafael Jeffman