[Freeipa-users] Split Horizon DNS on IPA?

Andrew Lau andrew at andrewklau.com
Tue Sep 10 03:28:33 UTC 2013 

On Mon, Sep 9, 2013 at 9:30 PM, Andrew Lau <andrew at andrewklau.com> wrote:

> On Mon, Sep 9, 2013 at 8:26 PM, Petr Spacek <pspacek at redhat.com> wrote:
>
>> On 8.9.2013 05:54, Andrew Lau wrote:
>>
>>> Hi all,
>>>
>>> I wasn't able to find much, but is it possible to configure FreeIPA to
>>> serve as a split horizon DNS server?
>>>
>>> I would like the local network to be able to enroll and authenticate
>>> locally, but at the same time bridge remote clients as well.
>>>
>>> Suggestions?
>>>
>>
>> Could you give us more details? We can try to find some solution for you
>> particular situation.
>>
>> In general, FreeIPA doesn't support so-called views from BIND9 directly,
>> but you can use e.g. FreeIPA integrated DNS for internal network (the
>> internal view) and expose flat zone file for external view.
>>
>> Example configuration (/etc/named.conf):
>> view "internal"
>> {
>> /* This view will contain zones you want to serve only to "internal"
>> clients
>>    that connect via your directly attached LAN interfaces - "localnets" .
>>  */
>>         match-clients           { localnets; };
>>         recursion yes;
>>
>>         dynamic-db "ipa" {
>>                 library "ldap.so";
>>                 arg "uri ldapi://%2fvar%2frun%2fslapd-**IPA-TEST.socket";
>>                 arg "base cn=dns, dc=ipa,dc=test";
>>         };
>> };
>>
>> view "external"
>> {
>> /* This view will contain zones you want to serve only to "external"
>> clients
>>  * that have addresses that are not match any above view:
>>  */
>>         match-clients           { any; };
>>         recursion no;
>>
>>         zone "my.external.zone" {
>>                 type master;
>>                 file "my.external.zone.db";
>>         };
>> };
>>
>> Have a nice day.
>
>
> Hi Petr,
>
> Thanks - I ended up running a slave DNS server with bind9 views. It's just
> a bit of a pain having to now manage two DNS configs but it'll have to do.
>
> Thanks,
> Andrew.
>
>
I spoke too soon..

My scenario I have is internal clients enrolled into FreeIPA, all the IPs
registered on internal.domain.com are internal IPs. I want to use the
FreeIPA server to also serve the DNS for domain.com but because it's hidden
in a private network I had setup slave DNS servers but they don't seem to
use the authoritative nameserver setting,

So eg.
ipa01.internal.domain.com (private IP Address) --> dns01.domain.com (public
IP adddress)

The records that get served to dns01.domain.com are:

domain.com         IN SOA  ipa02.internal.domain.com. hostmaster.domain.com.
(

Any suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130910/3416fdd0/attachment.htm>

More information about the Freeipa-users mailing list