[Freeipa-users] DNS configuration for not resolving some addresses
Karl Forner
karl.forner at gmail.com
Wed Jul 8 18:46:19 UTC 2015
I forgot my main use case: I have name-based reverse proxies (SNI) for some
web apps/services , that are accessible both from the internal and external
network.
They must be accessed with the exact same name/url, otherwise the dispatch
can not work.
Until now I manage this by manually editing all /etc/hosts on all internal
computers, but I had hoped to benefit from the freeIPA DNS a more elegant
solution.
On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek <pspacek at redhat.com> wrote:
> On 8.7.2015 16:32, Karl Forner wrote:
> > Thanks Petr.
> >
> > My use case is: we have scripts that connect to some services, let's say
> a
> > docker registry.
> > I want these scripts to be work either internally or externally, without
> > changing the URLs.
> > What would the best or easiest setting to achieve this ?
>
> Personally I use config file for this. I.e. the script is the same and
> URLs,
> names, passwords, etc. are read from config file stored alongside the
> script.
>
> This allows me to test it easily without any changes in DNS or system-wide
> configuration like /etc/hosts.
>
> Yes, it requires more code, but in long-term it is way more debug-able than
> DNS tricks.
>
> Petr^2 Spacek
>
> > On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek <pspacek at redhat.com> wrote:
> >
> >> On 8.7.2015 15:07, Karl Forner wrote:
> >>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <jpazdziora at redhat.com>
> >> wrote:
> >>>
> >>>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
> >>>>>
> >>>>> When using my freeIPA DNS name server for my domain example.test, I
> >> need
> >>>> to
> >>>>> exclude some names from the server( to be forwarded to the DNS
> >> forwarder
> >>>>> for instance.
> >>>>>
> >>>>> For example, I'd like foo.example.test not to be resolved, but
> >> forwarded.
> >>>>> How could I implement this ?
> >>>>
> >>>> That would mean you have two different nameservers authoritative for
> >>>> the same DNS domain. That is generally not recommended setup.
> >>>>
> >>>
> >>> Yes, that's what I read, but I do not know how to easily do
> differently.
> >>> But in the end, what I'd like for my users, is to have foo.example.test
> >>> resolved from the outside to my external server IP, and from the inside
> >> to
> >>> the internal server IP.
> >>
> >> Such setup is generally not recommended because it is usually pain when
> it
> >> comes to long-term operation and maintenance.
> >>
> >> http://www.freeipa.org/page/DNS#Caveats
> >> http://www.freeipa.org/page/Deployment_Recommendations#DNS
> >>
> >>
> >> Two main use-cases are:
> >>
> >> a) Two or more different servers are using the same name and which
> server
> >> is
> >> used depends on client's network.
> >>
> >> This is usually very cumbersome because DNS caching will play against
> you,
> >> especially when we introduce system-wide cache into Fedora 23.
> >>
> >> It is also hard to manage and debug because you have to ask the same
> >> question
> >> from different networks etc. And it will be harder when you deploy
> DNSSEC
> >> to
> >> increase security...
> >>
> >> The typical recommendation is to use a sub-domain for internal names,
> e.g.
> >> i.example.com for internal names and example.com for
> >> externally-resolvable names.
> >>
> >>
> >> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
> >>
> >> Yes, it is as bad idea as it sounds.
> >>
> >>
> >>>> Can't you make foo.example.test a CNAME to foo.example.org or another
> >>>> hostname, in domain with different authoritative DNS server?
> >>>>
> >>>
> >>> Hmm yes that should work, thanks !
> >>
> >> Please keep in mind that it only hides the problem under yet another
> layer
> >> of
> >> indirection.
> >>
> >> <humor>
> >> Yes, it is always possible! We know it because it is written in
> >> The Twelve Networking Truths:
> https://tools.ietf.org/html/rfc1925#page-2
> >> point
> >> (6) but you should take into account point (3) into account, too :-)
> >> </humor>
> >>
> >> --
> >> Petr^2 Spacek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150708/c3315d49/attachment.htm>
More information about the Freeipa-users
mailing list