[Freeipa-users] basic question on DNS configuration

Martin Basti mbasti at redhat.com
Wed Feb 4 10:46:35 UTC 2015 

On 04/02/15 11:39, Roberto Cornacchia wrote:
> Thank you Craig and Martin for your useful input.
>
> You both definitely recommend not to use example.com 
> <http://example.com> for the internal IPA DNS.
>
> I was in any case going to avoid .local suffix and any invented 
> top-level domain, after some reading on this topic.
>
> Using a subdomain like internal.example.com 
> <http://internal.example.com> seems reasonable.
> I was under the impression that the freeIPA domain needed to be a 
> top-level one, but maybe I was wrong here? Can I still keep 
> example.com <http://example.com> outside and have freeIPA manage 
> internal.example.com <http://internal.example.com>?

IPA DNS is designed only for internal network, so having an internal 
subdomain is good use case. You can keep example.com outside of IPA DNS, 
you just need to configure proper forwarder address pointing to external 
DNS.

Martin^2

>
>
>
> On 4 February 2015 at 10:34, Martin Basti <mbasti at redhat.com 
> <mailto:mbasti at redhat.com>> wrote:
>
>     On 03/02/15 16:52, Craig White wrote:
>>
>>     *From:*freeipa-users-bounces at redhat.com
>>     <mailto:freeipa-users-bounces at redhat.com>
>>     [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Roberto
>>     Cornacchia
>>     *Sent:* Tuesday, February 03, 2015 5:20 AM
>>     *To:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>>     *Subject:* [Freeipa-users] basic question on DNS configuration
>>
>>     Hi guys,
>>
>>     I can't wait to get freeIPA installed in our small enterprise,
>>     but I'd first like to get a couple of basic things straight.
>>
>>     My first doubt is about the DNS configuration. Currently, we use
>>     a setting that I guess is rather common for small enterprises:
>>
>>     We own an example.com <http://example.com> domain which is
>>     managed by the DNS of an external provider.
>>
>>     A couple of subdomains point to public IP addresses outside our
>>     local network (e.g. www.example.com <http://www.example.com> is
>>     hosted at our internet provider, server1.example.com
>>     <http://server1.example.com> points at a server hosted in a
>>     datacenter, etc).
>>
>>     All the remaining subdomain (*.example.com <http://example.com>)
>>     point at one IP which corresponds to our local router.
>>
>>     Then we use some simple forwarding rules to forward on to
>>     machines that are behind the router (service1.example.com
>>     <http://service1.example.com>, desktop1.example.com
>>     <http://desktop1.example.com>, desktop2.example.com
>>     <http://desktop2.example.com>, etc).
>>
>>     Internally, because the enterprise is rather small, we are not
>>     using a DNS, but simply /etc/hosts files on each machine. When
>>     they can't resolve whatever.example.com
>>     <http://whatever.example.com>, then the request goes to the
>>     external DNS.
>>
>>     (sorry about the long-ish background information, probably this
>>     configuration is commonly named somehow, but I don't know how)
>>
>>     Now, a first simple question for you guys would be:
>>
>>     When installing freeIPA, with DNS, is the network configuration
>>     above still advisable? Can there be any problem? Or should I
>>     rather use a different domain for the internal network (I would
>>     really NOT like this option, but I'm very interested to know why
>>     I should, if that is the case).
>>
>>     A second basic question is:
>>
>>     Would you see any potential problem in installing freeIPA on a
>>     FC21 Server which currently hosts Atlassian Jira + Atlassian
>>     Stash (therefore git repositories) + the required mysql databases?
>>
>>     My guess would be that they would not interfere, as:
>>
>>     - httpd (and related ports) is currently unused)
>>
>>     - Both Jira and Stash use thier own tomcat installation on custom
>>     ports
>>
>>     - mysql shouldn't be a problem?
>>
>>     - The machine isn't overloaded at all (4-5 developers use those
>>     services)
>>
>>     Am I overlooking something? Obviously I'd rather have a dedicated
>>     freeIPA server, but if the above mentioned coexistence isn't a
>>     problem, then this would be more cost-effective.
>>
>>     Thank you very much for your help, I'm looking forward to this
>>     upgrade.
>>
>>     Roberto
>>
>>     I would recommend that you create a ‘local’ domain for your
>>     internal LAN though you certainly can use your domain name for
>>     both the internal LAN and the external world. Obviously you would
>>     have to create ‘manual’ entries in DNS for the external servers
>>     (like www.example.com <http://www.example.com>) so your internal
>>     LAN systems can resolve it. If you have a ‘local’ domain for your
>>     internal LAN, there aren’t name collisions, no need to manually
>>     maintain DNS entries for off-LAN servers and no confusion of
>>     essentially faking your LAN systems into believing that the IPA
>>     server is authoritative for example.com <http://example.com>
>>     domain when the rest of the world thinks otherwise. The choice is
>>     yours.
>>
>>     As for using F21 – you get the latest version of FreeIPA which is
>>     something I wish I had here.
>>
>>     Git / Stash / Jira represent a fairly hefty memory footprint even
>>     if there isn’t that much CPU load. If you have the RAM and cpu
>>     cores to handle tossing FreeIPA onto the stack, go for it. You
>>     probably will want a replica too as the replica keeps your LAN
>>     running if the primary server is unavailable for whatever reason
>>     and it minimizes backup needs substantially.
>>
>>     Craig
>>
>>
>>
>     Hello,
>
>     For using 'local.' domain please read following message, to avoid
>     issues on Fedora:
>     https://www.redhat.com/archives/freeipa-users/2015-February/msg00010.html
>
>     You cant use 'example.com <http://example.com>' zone for internal
>     IPA DNS.
>
>     You can create your internal sub zone, like 'internal.example.com
>     <http://internal.example.com>', 'corp.example.com
>     <http://corp.example.com>', where IPA managed hosts will be added.
>     It is preferred solution instead of creating '.local' hostnames. 
>     Then you can set up global forwarder on IPA DNS to your external
>     DNS, where other names than 'internal.example.com
>     <http://internal.example.com>' will be resolved.
>
>     If I understand correctly, it is internal network, so you do not
>     need public resolvable domain names.
>
>     -- 
>     Martin Basti
>
>


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150204/8a437a3c/attachment.htm>

More information about the Freeipa-users mailing list