[Freeipa-users] DNS configuration for not resolving some addresses
Petr Spacek
pspacek at redhat.com
Wed Jul 8 14:50:33 UTC 2015
On 8.7.2015 16:32, Karl Forner wrote:
> Thanks Petr.
>
> My use case is: we have scripts that connect to some services, let's say a
> docker registry.
> I want these scripts to be work either internally or externally, without
> changing the URLs.
> What would the best or easiest setting to achieve this ?
Personally I use config file for this. I.e. the script is the same and URLs,
names, passwords, etc. are read from config file stored alongside the script.
This allows me to test it easily without any changes in DNS or system-wide
configuration like /etc/hosts.
Yes, it requires more code, but in long-term it is way more debug-able than
DNS tricks.
Petr^2 Spacek
> On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek <pspacek at redhat.com> wrote:
>
>> On 8.7.2015 15:07, Karl Forner wrote:
>>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <jpazdziora at redhat.com>
>> wrote:
>>>
>>>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
>>>>>
>>>>> When using my freeIPA DNS name server for my domain example.test, I
>> need
>>>> to
>>>>> exclude some names from the server( to be forwarded to the DNS
>> forwarder
>>>>> for instance.
>>>>>
>>>>> For example, I'd like foo.example.test not to be resolved, but
>> forwarded.
>>>>> How could I implement this ?
>>>>
>>>> That would mean you have two different nameservers authoritative for
>>>> the same DNS domain. That is generally not recommended setup.
>>>>
>>>
>>> Yes, that's what I read, but I do not know how to easily do differently.
>>> But in the end, what I'd like for my users, is to have foo.example.test
>>> resolved from the outside to my external server IP, and from the inside
>> to
>>> the internal server IP.
>>
>> Such setup is generally not recommended because it is usually pain when it
>> comes to long-term operation and maintenance.
>>
>> http://www.freeipa.org/page/DNS#Caveats
>> http://www.freeipa.org/page/Deployment_Recommendations#DNS
>>
>>
>> Two main use-cases are:
>>
>> a) Two or more different servers are using the same name and which server
>> is
>> used depends on client's network.
>>
>> This is usually very cumbersome because DNS caching will play against you,
>> especially when we introduce system-wide cache into Fedora 23.
>>
>> It is also hard to manage and debug because you have to ask the same
>> question
>> from different networks etc. And it will be harder when you deploy DNSSEC
>> to
>> increase security...
>>
>> The typical recommendation is to use a sub-domain for internal names, e.g.
>> i.example.com for internal names and example.com for
>> externally-resolvable names.
>>
>>
>> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
>>
>> Yes, it is as bad idea as it sounds.
>>
>>
>>>> Can't you make foo.example.test a CNAME to foo.example.org or another
>>>> hostname, in domain with different authoritative DNS server?
>>>>
>>>
>>> Hmm yes that should work, thanks !
>>
>> Please keep in mind that it only hides the problem under yet another layer
>> of
>> indirection.
>>
>> <humor>
>> Yes, it is always possible! We know it because it is written in
>> The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2
>> point
>> (6) but you should take into account point (3) into account, too :-)
>> </humor>
>>
>> --
>> Petr^2 Spacek
More information about the Freeipa-users
mailing list