[Freeipa-users] Split Horizon DNS on IPA?
Andrew Lau
andrew at andrewklau.com
Mon Sep 9 11:30:00 UTC 2013
On Mon, Sep 9, 2013 at 8:26 PM, Petr Spacek <pspacek at redhat.com> wrote:
> On 8.9.2013 05:54, Andrew Lau wrote:
>
>> Hi all,
>>
>> I wasn't able to find much, but is it possible to configure FreeIPA to
>> serve as a split horizon DNS server?
>>
>> I would like the local network to be able to enroll and authenticate
>> locally, but at the same time bridge remote clients as well.
>>
>> Suggestions?
>>
>
> Could you give us more details? We can try to find some solution for you
> particular situation.
>
> In general, FreeIPA doesn't support so-called views from BIND9 directly,
> but you can use e.g. FreeIPA integrated DNS for internal network (the
> internal view) and expose flat zone file for external view.
>
> Example configuration (/etc/named.conf):
> view "internal"
> {
> /* This view will contain zones you want to serve only to "internal"
> clients
> that connect via your directly attached LAN interfaces - "localnets" .
> */
> match-clients { localnets; };
> recursion yes;
>
> dynamic-db "ipa" {
> library "ldap.so";
> arg "uri ldapi://%2fvar%2frun%2fslapd-**IPA-TEST.socket";
> arg "base cn=dns, dc=ipa,dc=test";
> };
> };
>
> view "external"
> {
> /* This view will contain zones you want to serve only to "external"
> clients
> * that have addresses that are not match any above view:
> */
> match-clients { any; };
> recursion no;
>
> zone "my.external.zone" {
> type master;
> file "my.external.zone.db";
> };
> };
>
> Have a nice day.
Hi Petr,
Thanks - I ended up running a slave DNS server with bind9 views. It's just
a bit of a pain having to now manage two DNS configs but it'll have to do.
Thanks,
Andrew.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130909/e2186e84/attachment.htm>
More information about the Freeipa-users
mailing list