[Freeipa-users] DNS configuration for not resolving some addresses
Karl Forner
karl.forner at gmail.com
Wed Jul 8 14:32:33 UTC 2015
Thanks Petr.
My use case is: we have scripts that connect to some services, let's say a
docker registry.
I want these scripts to be work either internally or externally, without
changing the URLs.
What would the best or easiest setting to achieve this ?
On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek <pspacek at redhat.com> wrote:
> On 8.7.2015 15:07, Karl Forner wrote:
> > On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <jpazdziora at redhat.com>
> wrote:
> >
> >> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
> >>>
> >>> When using my freeIPA DNS name server for my domain example.test, I
> need
> >> to
> >>> exclude some names from the server( to be forwarded to the DNS
> forwarder
> >>> for instance.
> >>>
> >>> For example, I'd like foo.example.test not to be resolved, but
> forwarded.
> >>> How could I implement this ?
> >>
> >> That would mean you have two different nameservers authoritative for
> >> the same DNS domain. That is generally not recommended setup.
> >>
> >
> > Yes, that's what I read, but I do not know how to easily do differently.
> > But in the end, what I'd like for my users, is to have foo.example.test
> > resolved from the outside to my external server IP, and from the inside
> to
> > the internal server IP.
>
> Such setup is generally not recommended because it is usually pain when it
> comes to long-term operation and maintenance.
>
> http://www.freeipa.org/page/DNS#Caveats
> http://www.freeipa.org/page/Deployment_Recommendations#DNS
>
>
> Two main use-cases are:
>
> a) Two or more different servers are using the same name and which server
> is
> used depends on client's network.
>
> This is usually very cumbersome because DNS caching will play against you,
> especially when we introduce system-wide cache into Fedora 23.
>
> It is also hard to manage and debug because you have to ask the same
> question
> from different networks etc. And it will be harder when you deploy DNSSEC
> to
> increase security...
>
> The typical recommendation is to use a sub-domain for internal names, e.g.
> i.example.com for internal names and example.com for
> externally-resolvable names.
>
>
> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
>
> Yes, it is as bad idea as it sounds.
>
>
> >> Can't you make foo.example.test a CNAME to foo.example.org or another
> >> hostname, in domain with different authoritative DNS server?
> >>
> >
> > Hmm yes that should work, thanks !
>
> Please keep in mind that it only hides the problem under yet another layer
> of
> indirection.
>
> <humor>
> Yes, it is always possible! We know it because it is written in
> The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2
> point
> (6) but you should take into account point (3) into account, too :-)
> </humor>
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150708/e0d29851/attachment.htm>
More information about the Freeipa-users
mailing list