[Freeipa-users] Split Horizon DNS on IPA?

Petr Spacek pspacek at redhat.com
Tue Sep 10 07:54:13 UTC 2013 

On 10.9.2013 05:28, Andrew Lau wrote:
> On Mon, Sep 9, 2013 at 9:30 PM, Andrew Lau <andrew at andrewklau.com> wrote:
>
>> On Mon, Sep 9, 2013 at 8:26 PM, Petr Spacek <pspacek at redhat.com> wrote:
>>
>>> On 8.9.2013 05:54, Andrew Lau wrote:
>>>
>>>> Hi all,
>>>>
>>>> I wasn't able to find much, but is it possible to configure FreeIPA to
>>>> serve as a split horizon DNS server?
>>>>
>>>> I would like the local network to be able to enroll and authenticate
>>>> locally, but at the same time bridge remote clients as well.
>>>>
>>>> Suggestions?
>>>>
>>>
>>> Could you give us more details? We can try to find some solution for you
>>> particular situation.
>>>
>>> In general, FreeIPA doesn't support so-called views from BIND9 directly,
>>> but you can use e.g. FreeIPA integrated DNS for internal network (the
>>> internal view) and expose flat zone file for external view.
>>>
>>> Example configuration (/etc/named.conf):
>>> view "internal"
>>> {
>>> /* This view will contain zones you want to serve only to "internal"
>>> clients
>>>     that connect via your directly attached LAN interfaces - "localnets" .
>>>   */
>>>          match-clients           { localnets; };
>>>          recursion yes;
>>>
>>>          dynamic-db "ipa" {
>>>                  library "ldap.so";
>>>                  arg "uri ldapi://%2fvar%2frun%2fslapd-**IPA-TEST.socket";
>>>                  arg "base cn=dns, dc=ipa,dc=test";
>>>          };
>>> };
>>>
>>> view "external"
>>> {
>>> /* This view will contain zones you want to serve only to "external"
>>> clients
>>>   * that have addresses that are not match any above view:
>>>   */
>>>          match-clients           { any; };
>>>          recursion no;
>>>
>>>          zone "my.external.zone" {
>>>                  type master;
>>>                  file "my.external.zone.db";
>>>          };
>>> };
>>>
>>> Have a nice day.
>>
>>
>> Hi Petr,
>>
>> Thanks - I ended up running a slave DNS server with bind9 views. It's just
>> a bit of a pain having to now manage two DNS configs but it'll have to do.
>>
>> Thanks,
>> Andrew.
>>
>>
> I spoke too soon..
>
> My scenario I have is internal clients enrolled into FreeIPA, all the IPs
> registered on internal.domain.com are internal IPs. I want to use the
> FreeIPA server to also serve the DNS for domain.com but because it's hidden
> in a private network I had setup slave DNS servers but they don't seem to
> use the authoritative nameserver setting,
>
> So eg.
> ipa01.internal.domain.com (private IP Address) --> dns01.domain.com (public
> IP adddress)
>
> The records that get served to dns01.domain.com are:
>
> domain.com         IN SOA  ipa02.internal.domain.com. hostmaster.domain.com.
> (
>
> Any suggestions?

It is most probably caused by 'fake_mname' setting in /etc/named.conf. Named 
will respect the value in SOA record if you comment this value out, but will 
lose the ability to load balance DNS dynamic updates between FreeIPA replicas.

The point is that clients use this name to find the server responsible for 
zone updates (and nothing else). In FreeIPA's case, any server can update the 
zone so all servers report itself as zone 'masters'. This allows to spread the 
load among all replicas and there is no single point of failure.

The question is - do you need it for external zone? Do you use dynamic update 
for domain.com? I would ignore the internal hostname in the zone if you don't 
use DNS updates (if you are okay with such information leak).

Side note:
Don't forget that internal host names normally leak in e-mail headers; from 
mis-configured clients in internal network; via roaming clients trying to 
access internal resources while they are not on VPN; etc. etc.

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list