Hi Ian
Thanks for this, this actually comes back to my first suggestion however I was wanting to
hide that private IP nameserver information from public view (infosec teams would not be
happy otherwise) and so I had wondered about using a DNS view to only allow the external
IPs of my internal DNS servers to see the
int.angusclarke.com delegation on my public DNS
servers. I'm not sure if this is possible with glue records and suspect that the DNS
software in use (bind, nsd etc) probably has a bearing on that too.
I found this in my bookmarks ... it's a bit old but one of the options M$ were
recommending at this point in time was to not configure any delegation information in your
public DNS at all; rather just to configure your in-house DNS recursor to forward requests
for
ipa.angusclarke.com to the internal DNS server that handles that namespace.
https://docs.microsoft.com/en-gb/previous-versions/windows/it-pro/windows...
(see points 1. and 2. specifically)
Delegating the subdomain from public DNS seems the more elegant (more correct?) option
however the split view (or something) needs to be working to hide your delegation
information from public view (infosec would insist.) Simply redirecting your internal DNS
for a subdomain seems easier but probably isn't "the correct" way.
I wonder how Rafael has his DNS configured for making use of private subdomains as
mentioned here:
I have a (few) registered domain(s), which I use both as a public
facing server (static, github pages), and within my private network,
which no one from outside can see, I have a subdomain (ipa) which
I use for managing my users and hosts.
Cheers
Angus
From: Ian Willis <fedora(a)checksum.net.au>
Sent: 28 December 2021 01:55
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Rafael Jeffman
<rjeffman(a)redhat.com>; Peter Larsen <peter(a)peterlarsen.org>
Cc: Dave Mintz <davemintz64(a)gmail.com>; Angus Clarke <angus(a)charworth.com>
Subject: Re: [Freeipa-users] Re: DNS and FreeIPA
Hi Angus,
Just be aware that maintaining parrellel records is an overhead in the longer term as
it's a manual process of keeping things in sync.
Delegation is a simpler more natural solution in general.
Your pubic DNS servers can delegate to an internal DNS domain and then you'll only
have the internal addresses of your DNS servers in the public domain.
For example
angusclark.com has public nameservers a.b.c.d and a.b.c.e
which delegates
int.angusclark.com to internal freeipa nameservers
ipa1.int.angusclark.com 10.10.10.10 and
ipa2.int.angusclark.com 10.10.10.11 using glue records on the public servers.
The you just follow the bouncing ball for setting up freeipa with integrated DNS.
Outbound Name resolution would use the freeipa servers which would forward to a convenient
resolver or you do resolution via the root nameservers which is probably a more secure
solution.
-----Original Message-----
From: Angus Clarke via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:Angus%20Clarke%20via%20FreeIPA-users%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
Reply-To: FreeIPA users list
<freeipa-users@lists.fedorahosted.org<mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
To: Rafael Jeffman
<rjeffman@redhat.com<mailto:Rafael%20Jeffman%20%3crjeffman@redhat.com%3e>>,
Peter Larsen
<peter@peterlarsen.org<mailto:Peter%20Larsen%20%3cpeter@peterlarsen.org%3e>>
Cc: Dave Mintz
<davemintz64@gmail.com<mailto:Dave%20Mintz%20%3cdavemintz64@gmail.com%3e>>,
FreeIPA users list
<freeipa-users@lists.fedorahosted.org<mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.org%3e>>,
Angus Clarke
<angus@charworth.com<mailto:Angus%20Clarke%20%3cangus@charworth.com%3e>>
Subject: [Freeipa-users] Re: DNS and FreeIPA
Date: Mon, 27 Dec 2021 23:26:31 +0000
Thanks for your replies, I think I need to focus on internal resolver configuration and
less on public subdomain delegation.
Cheers
Angus
________________________________
From: Rafael Jeffman <rjeffman(a)redhat.com>
Sent: Monday, 27 December 2021, 11:11 pm
To: Peter Larsen
Cc: Angus Clarke; FreeIPA users list; Dave Mintz
Subject: Re: [Freeipa-users] Re: DNS and FreeIPA
Hello Angus,
Besides what Peter has written, let's get this warning from FreeIPA site [1]:
**Avoid name collisions**
We strongly recommend that you do not use a domain name that is not
delegated to you, even on a private network. For example, you should
not use domain name
company.int<https://emea01.safelinks.protection.outlook.com/?url=http%...
if you don't have valid delegation for
it in public DNS tree.
As you can see, it is similar to what was on the Red Hat documentation you
mentioned before.
This first part of the warning says that you should not configure your domain
name with some "random" name if you don't own the domain. For example,
you should not use
"cisco.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcisco.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HSIDyx%2BKgVc2cpm0RuvUby98dA5szPcEM1%2BwqWksZXE%3D&reserved=0>",
"google.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kXzkvd%2FQb%2FsMc%2FCQJOynzJ2kiEhHRl1xZrr2w9GOrkA%3D&reserved=0>"
or
"redhat.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fredhat.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AZzcKs15fd21XD8tTzEomFu3zu09UYMlQg8jXv3imMM%3D&reserved=0>",
even if your
network is a private one. Note that, if it is a private network, you "could" do
it,
but you shouldn't do it.
Why? The answer is on the warning itself:
If this rule is not respected, the domain name will be resolved
differently
depending on the network configuration. As a result, network resources
will become unavailable.
Using domain names that are not delegated to
you also makes DNSSEC more difficult to deploy and maintain. For
further information about this issue please see the ICANN FAQ on
domain name collisions.
Imagine you try to access google search and your private network uses
'google.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kXzkvd%2FQb%2FsMc%2FCQJOynzJ2kiEhHRl1xZrr2w9GOrkA%3D&reserved=0>'
as the domain. You would probably be redirected to an internal
server, instead of Google's search engine. (I'll not even get into DNSSEC
issues.)
So, you find everywhere about "a domain that is delegated to you", well,
that domain is any domain you have registered (e.g.:
angusclark.com<https://emea01.safelinks.protection.outlook.com/?url=ht...).
Even as your domain have nameserver which is probably not under your
control (and controlled by whom you registered your domain), you have
control over your domain, and as such, you can create subdomains on
your private network that will not collide with any other domain (say,
ipa.angusclark.com<https://emea01.safelinks.protection.outlook.com/?ur...).
If you manage this domain from your internal FreeIPA servers, there
will be no name collision.
I have a (few) registered domain(s), which I use both as a public
facing server (static, github pages), and within my private network,
which no one from outside can see, I have a subdomain (ipa) which
I use for managing my users and hosts.
Regards,
Rafael
[1]:
https://www.freeipa.org/page/Deployment_Recommendations<https://emea01...
On Mon, Dec 27, 2021 at 6:08 PM Peter Larsen
<peter@peterlarsen.org<mailto:peter@peterlarsen.org>> wrote:
On 12/27/21 15:27, Angus Clarke wrote:
Ok let's try this:
I've just registered
angusclarke.com<https://emea01.safelinks.protection.outlook.com/?url=h...
with a public DNS provider and am
ready to deploy FreeIPA for my corporate network which uses a private
IP space. How do I do this?
This is where things get odd for me. Why are you registering a TLD for a
private DNS server? That makes no sense. Public domain servers require
public access by definition. Otherwise they don't work.
According to this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
then I should have a domain delegated to me, but I am not a public DNS
provider,
Which means you shouldn't register a domain. Just add the domain to
freeIPA and have your clients use your FreeIPA dns server(s). Done. All
free!
I'm just Angus Clarke ... Nor do I want my private IP space
available
to be looked up in a public DNS record
You don't. You cannot blow and have flour in your mouth at the same
time. When you register a domain you MUST provide public NS servers
which are authoritative for that domain which anyone querying your
domain will be forwarded to. By definition they HAVE to be public. You
can absolutely expose your FreeIPA name servers to the public, but it's
a whole other issue if you want to, as the configuration and security
gets a bit convoluted - but it can be done.
... And I'd rather have my private IP records handled by my
internal
DNS system - all of this is standard practise for companies and
individuals however I dont think this topic is suitably addressed in
the redhat documentation - I see a disconnect in the recommendation
pasted above vs the installation documentation for FreeIPA.
For internal ONLY domains there is absolutely NO NEED to register a
domain with a public DNS service. You can even pretend to be
"cisco.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcisco.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HSIDyx%2BKgVc2cpm0RuvUby98dA5szPcEM1%2BwqWksZXE%3D&reserved=0>"
or other addresses and your clients will happily use your DNS server
(well, if DNSSEC is on it may not be that simple) instead of Cisco's.
Public domains are for public access only. Your own network is your own
domain (sic) and you can do what you want, without having to register
anything.
Maybe I've missed it, maybe I can promote the topic here and it can be
championed in the right direction, maybe I can even help on the topic
myself.
You're making it a lot harder. Just install FreeIPA, configure DNS and
add your domain. Set your DHCP server to use your FreeIPA server's IP
the DNS server address for the clients, renew the DHCP leases and voila,
they're using that domain you just defined, internally only resolving to
internal addresses etc.
--
Regards
Peter Larsen
_______________________________________________
FreeIPA-users mailing list --
<mailto:freeipa-users@lists.fedorahosted.org>
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
<mailto:freeipa-users-leave@lists.fedorahosted.org>
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
<
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.f...
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://...
List Guidelines:
<
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedora...
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://emea01....
List Archives:
<
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
<
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure...
https://pagure.io/fedora-infrastructure<https://emea01.safelinks.prote...