<div dir="ltr"><div><div><div><div>Thanks Petr. </div> </div>My use case is: we have scripts that connect to some services, let's say a docker registry. </div>I want these scripts to be work either internally or externally, without changing the URLs. </div>What would the best or easiest setting to achieve this ? </div><div class="gmail_extra"> <div class="gmail_quote">On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek <<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 8.7.2015 15:07, Karl Forner wrote: > On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <<a href="mailto:jpazdziora@redhat.com">jpazdziora@redhat.com</a>> wrote: > >> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: >>> >>> When using my freeIPA DNS name server for my domain example.test, I need >> to >>> exclude some names from the server( to be forwarded to the DNS forwarder >>> for instance. >>> >>> For example, I'd like foo.example.test not to be resolved, but forwarded. >>> How could I implement this ? >> >> That would mean you have two different nameservers authoritative for >> the same DNS domain. That is generally not recommended setup. >> > > Yes, that's what I read, but I do not know how to easily do differently. > But in the end, what I'd like for my users, is to have foo.example.test > resolved from the outside to my external server IP, and from the inside to > the internal server IP. Such setup is generally not recommended because it is usually pain when it comes to long-term operation and maintenance. <a href="http://www.freeipa.org/page/DNS#Caveats" rel="noreferrer" target="_blank">http://www.freeipa.org/page/DNS#Caveats</a> <a href="http://www.freeipa.org/page/Deployment_Recommendations#DNS" rel="noreferrer" target="_blank">http://www.freeipa.org/page/Deployment_Recommendations#DNS</a> Two main use-cases are: a) Two or more different servers are using the same name and which server is used depends on client's network. This is usually very cumbersome because DNS caching will play against you, especially when we introduce system-wide cache into Fedora 23. It is also hard to manage and debug because you have to ask the same question from different networks etc. And it will be harder when you deploy DNSSEC to increase security... The typical recommendation is to use a sub-domain for internal names, e.g. <a href="http://i.example.com" rel="noreferrer" target="_blank">i.example.com</a> for internal names and <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> for externally-resolvable names. b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. Yes, it is as bad idea as it sounds. >> Can't you make foo.example.test a CNAME to <a href="http://foo.example.org" rel="noreferrer" target="_blank">foo.example.org</a> or another >> hostname, in domain with different authoritative DNS server? >> > > Hmm yes that should work, thanks ! Please keep in mind that it only hides the problem under yet another layer of indirection. <humor> Yes, it is always possible! We know it because it is written in The Twelve Networking Truths: <a href="https://tools.ietf.org/html/rfc1925#page-2" rel="noreferrer" target="_blank">https://tools.ietf.org/html/rfc1925#page-2</a> point (6) but you should take into account point (3) into account, too :-) </humor> -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> </div>