[Freeipa-devel] Using RPZ to overcome multi Kerberos domains and multiple DNS authorities.
Petr Spacek
pspacek at redhat.com
Tue Jul 19 09:27:47 UTC 2016
On 18.7.2016 19:44, Jim Glenz wrote:
> IPA DNS configuration using Response Policy Zone (RPZ).
>
> IPA utilizes DNS extensively to locate service records (SRV) and text
> records (TXT) associated with the Kerberos realm.
> IPA also heavily require DNS A records and PTR records to function
> correctly.
> Normally all A,SRV,TXT,PTR records are part of the same DNS domain zone.
>
> The following shows how to decouple IPA "TXT and SRV" records only, and
> pass (forward) all other records to another internal DNS server when
> required to have all records (except SRV and TXT) records in the other DNS
> system.
>
> Note: Below is very customized for specific environment, your environment
> may be different. Just wanted to pass on this DNS trick.
> Methodology used was to implement a BIND instance on at least two servers
> and then configuring a Response Policy Zone (RPZ).
> The RPZ is configured to respond to specific DNS records and forward other
> DNS records onward to next hop DNS.
>
> All A and PTR records should exist in the next hop DNS authoritative server.
> As mentioned, the following solution is very specific to a unique
> environment.
>
> IPA members and clinet servers must have their primary/secondary DNS
> resolvers set to the DNS RPZ BIND servers.
>
>
> Steps
> Create your Master and Slave Bind DNS where RPZ will be used (can be your
> IPA server or any other server having Bind DNS installed)
> Create Response Policy Zone (RPZ) files.
> Test configuration.
>
> Search below for "<your " for changes needed in your configuration.
>
> nslookup <your Bind-DNS-RPZ1-Host-FQDN> <your Bind-DNS-RPZ2-IP-address>
> nslookup <your Bind-DNS-RPZ1-Host-FQDN> <your Bind-DNS-RPZ1-IP-address>
>
> nslookup <your Bind-DNS-RPZ2-Host-FQDN>. <your Bind-DNS-RPZ2-IP-address>
> nslookup <your Bind-DNS-RPZ2-Host-FQDN>. <your Bind-DNS-RPZ1-IP-address>
>
> nslookup <your Bind-DNS-RPZ1-Host-FQDN> <your Bind-DNS-RPZ2-IP-address>
> nslookup <your Bind-DNS-RPZ2-Host-FQDN>. <your Bind-DNS-RPZ2-IP-address>
> nslookup -type=TXT _kerberos.<your FQDN> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos-master._tcp.<your FQDN> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos-master._udp.<your FQDN> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos._tcp.<your FQDN> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos._udp.<your FQDN> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kpasswd._tcp.<your FQDN> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kpasswd._udp.<your FQDN> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _ldap._tcp.<your FQDN> <your
> Bind-DNS-RPZ2-IP-address>
>
> nslookup <your Bind-DNS-RPZ1-Host-FQDN> <your Bind-DNS-RPZ1-IP-address>
> nslookup <your Bind-DNS-RPZ2-Host-FQDN>. <your Bind-DNS-RPZ1-IP-address>
> nslookup -type=TXT _kerberos.<your FQDN> <your
> Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos-master._tcp.<your FQDN> <your
> Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos-master._udp.<your FQDN> <your
> Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos._tcp.<your FQDN> <your
> Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos._udp.<your FQDN> <your
> Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kpasswd._tcp.<your FQDN> <your
> Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kpasswd._udp.<your FQDN> <your
> Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _ldap._tcp.<your FQDN> <your
> Bind-DNS-RPZ1-IP-address>
>
> nslookup google.com <your Bind-DNS-RPZ2-IP-address>
> nslookup google.com <your Bind-DNS-RPZ1-IP-address>
>
> nslookup -type=ptr <your Bind-DNS-RPZ2-IP-address> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=ptr <your Bind-DNS-RPZ2-IP-address> <your
> Bind-DNS-RPZ1-IP-address>
> nslookup -type=ptr <your Bind-DNS-RPZ1-IP-address> <your
> Bind-DNS-RPZ2-IP-address>
> nslookup -type=ptr <your Bind-DNS-RPZ1-IP-address> <your
> Bind-DNS-RPZ1-IP-address>
>
>
> Will be referencing reverse.arpa zone 10.x.x.x internal network. Adjust as
> necessary for your environment.
>
> Appendix A: Primary IPA DNS /etc/named.conf file
> # cat named.conf
> options {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> #forward first;
> forwarders {
> <your Forwarder1>;
> <your Forwarder2>;
> };
> response-policy {zone "<your RPZ-Zone-File-Name>"; };
>
> // Any host is permitted to issue recursive queries
> allow-recursion { any; };
>
> tkey-gssapi-credential "DNS/<your Bind-DNS-RPZ1-Host-FQDN>";
> tkey-domain "<your Realm-FQDN>";
> };
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
> * By default, SELinux policy does not allow named to modify the /var/named
> directory,
> * so put the default debug log file in data/ :
> */
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "<your RPZ-Zone-File-Name>" IN {
> type master;
> file "<your RPZ-Zone-File-Name>";
> also-notify {<your Slave-DNS-RPZ-IP>;};
> };
>
> zone "10.in-addr.arpa" IN {
> type forward;
> forwarders {
> <your Forwarder1>;
> <your Forwarder2>;
> };
> };
>
> include "/etc/named.rfc1912.zones";
>
> # dynamic not used, remark out.
> #dynamic-db "ipa" {
> # library "ldap.so";
> #};
>
> Appendix B: Primary IPA DNS /var/named/<your RPZ-Zone-File-Name> file
> $ORIGIN .
> $TTL 86400 ; 1 day
> <your Domain>.rpz IN SOA localhost. root.localhost. (
> 201505162150 ; serial
> 3600 ; refresh (1 hour)
> 1800 ; retry (30 minutes)
> 604800 ; expire (1 week)
> 86400 ; minimum (1 day)
> )
> NS localhost.
> $ORIGIN <your FQDN>.rpz.
> _kerberos TXT "<your Realm-FQDN>"
> _ntp_udp SRV 0 100 123 <your Bind-DNS-RPZ1-Host-FQDN>".
> $ORIGIN _tcp.<your FQDN>.rpz.
> _kerberos SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
> _kerberos-master SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
> _kpasswd SRV 0 100 464 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 464 <your Bind-DNS-RPZ2-Host-FQDN>".
> _ldap SRV 0 100 389 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 389 <your Bind-DNS-RPZ2-Host-FQDN>".
> $ORIGIN _udp.<your FQDN>.rpz.
> _kerberos SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
> _kerberos-master SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
> _kpasswd SRV 0 100 464 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 464 <your Bind-DNS-RPZ2-Host-FQDN>".
>
>
> Appendix C: Secondary IPA DNS /etc/named.conf file
> # cat /etc/named.conf
> options {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> #forward first;
> forwarders {
> <your Forwarder1>;
> <your Forwarder2>;
> };
> response-policy {zone "<your RPZ-Zone-File-Name>"; };
>
> // Any host is permitted to issue recursive queries
> allow-recursion { any; };
>
> tkey-gssapi-credential "DNS/<your Bind-DNS-RPZ2-Host-FQDN>";
> tkey-domain "<your Realm-FQDN>";
> };
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
> * By default, SELinux policy does not allow named to modify the /var/named
> directory,
> * so put the default debug log file in data/ :
> */
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "<your RPZ-Zone-File-Name>" IN {
> type slave;
> file "slaves/<your RPZ-Zone-File-Name>";
> masters {<your RPZ-Zone-Master-DNS>";};
> };
>
> zone "10.in-addr.arpa" IN {
> type forward;
> forwarders {
> <your Forwarder1>;
> <your Forwarder2>;
> };
> };
>
> include "/etc/named.rfc1912.zones";
>
> # dynamic not used
> #dynamic-db "ipa" {
> # library "ldap.so";
> #};
>
> Appendix D: Secondary IPA DNS /var/named/slaves/<your RPZ-Zone-File-Name>
> NOTE: Autogenerated by Master/Slave. Delete this file and then increment
> SOA serial on Master. Reload Master named.
>
> cat /var/named/slaves/<your RPZ-Zone-File-Name>
> $ORIGIN .
> $TTL 86400 ; 1 day
> <your Domain>.rpz IN SOA localhost. root.localhost. (
> 3936666534 ; serial
> 3600 ; refresh (1 hour)
> 1800 ; retry (30 minutes)
> 604800 ; expire (1 week)
> 86400 ; minimum (1 day)
> )
> NS localhost.
> $ORIGIN <your FQDN>.rpz.
> _kerberos TXT "<your Realm-FQDN>"
> _ntp_udp SRV 0 100 123 <your Bind-DNS-RPZ1-Host-FQDN>".
> $ORIGIN _tcp.<your FQDN>.rpz.
> _kerberos SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
> _kerberos-master SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
> _kpasswd SRV 0 100 464 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 464 <your Bind-DNS-RPZ2-Host-FQDN>".
> _ldap SRV 0 100 389 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 389 <your Bind-DNS-RPZ2-Host-FQDN>".
> $ORIGIN _udp.<your FQDN>.rpz.
> _kerberos SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
> _kerberos-master SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
> _kpasswd SRV 0 100 464 <your Bind-DNS-RPZ1-Host-FQDN>".
> SRV 0 100 464 <your Bind-DNS-RPZ2-Host-FQDN>".
>
>
> In conclusion.
> RPZ is very powerful, DNS mangling in a way.
> This scenario was how I was able to overcome a tough/strict DNS environment
> that I had zero control of.
Thanks for the trick!
Let me repeat that this example is not complete (AD trusts are missing) and it
is tied to specific configuration. It will break/needs manual intervention at
multiple occasions:
- any replica addition/removal
- any change in IPA replica naming
- AD trust re-configuration
- IPA upgrade (when a new DNS record is introduced)
- any change to IPA DNS locations (new feature in IPA 4.4)
It needs to be understood that this is option of the *very last* resort.
We are looking into ways how to integrate FreeIPA in better ways with existing
DNS systems. Comments regarding your existing setups and deficiencies you see
are more than welcome!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list