[Freeipa-users] DNS configuration for not resolving some addresses
Petr Spacek
pspacek at redhat.com
Wed Jul 8 14:25:36 UTC 2015
On 8.7.2015 15:07, Karl Forner wrote:
> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <jpazdziora at redhat.com> wrote:
>
>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
>>>
>>> When using my freeIPA DNS name server for my domain example.test, I need
>> to
>>> exclude some names from the server( to be forwarded to the DNS forwarder
>>> for instance.
>>>
>>> For example, I'd like foo.example.test not to be resolved, but forwarded.
>>> How could I implement this ?
>>
>> That would mean you have two different nameservers authoritative for
>> the same DNS domain. That is generally not recommended setup.
>>
>
> Yes, that's what I read, but I do not know how to easily do differently.
> But in the end, what I'd like for my users, is to have foo.example.test
> resolved from the outside to my external server IP, and from the inside to
> the internal server IP.
Such setup is generally not recommended because it is usually pain when it
comes to long-term operation and maintenance.
http://www.freeipa.org/page/DNS#Caveats
http://www.freeipa.org/page/Deployment_Recommendations#DNS
Two main use-cases are:
a) Two or more different servers are using the same name and which server is
used depends on client's network.
This is usually very cumbersome because DNS caching will play against you,
especially when we introduce system-wide cache into Fedora 23.
It is also hard to manage and debug because you have to ask the same question
from different networks etc. And it will be harder when you deploy DNSSEC to
increase security...
The typical recommendation is to use a sub-domain for internal names, e.g.
i.example.com for internal names and example.com for externally-resolvable names.
b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
Yes, it is as bad idea as it sounds.
>> Can't you make foo.example.test a CNAME to foo.example.org or another
>> hostname, in domain with different authoritative DNS server?
>>
>
> Hmm yes that should work, thanks !
Please keep in mind that it only hides the problem under yet another layer of
indirection.
<humor>
Yes, it is always possible! We know it because it is written in
The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 point
(6) but you should take into account point (3) into account, too :-)
</humor>
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list