[Freeipa-users] DNS configuration for not resolving some addresses

Petr Spacek pspacek at redhat.com
Mon Jul 13 14:53:18 UTC 2015 

On 8.7.2015 20:46, Karl Forner wrote:
> I forgot my main use case: I have name-based reverse proxies (SNI) for some
> web apps/services , that are accessible both from the internal and external
> network.
> They must be accessed with the exact same name/url, otherwise the dispatch
> can not work.
> Until now I manage this by manually editing all /etc/hosts on all internal
> computers, but I had hoped to benefit from the freeIPA DNS a more elegant
> solution.

Standard DNS cannot provide you with this, you need to hack it yourself. Sorry!

Petr Spacek  @  Red Hat

> On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek <pspacek at redhat.com> wrote:
> 
>> On 8.7.2015 16:32, Karl Forner wrote:
>>> Thanks Petr.
>>>
>>> My use case is: we have scripts that connect to some services, let's say
>> a
>>> docker registry.
>>> I want these scripts to be work either internally or externally, without
>>> changing the URLs.
>>> What would the best or easiest setting to achieve this ?
>>
>> Personally I use config file for this. I.e. the script is the same and
>> URLs,
>> names, passwords, etc. are read from config file stored alongside the
>> script.
>>
>> This allows me to test it easily without any changes in DNS or system-wide
>> configuration like /etc/hosts.
>>
>> Yes, it requires more code, but in long-term it is way more debug-able than
>> DNS tricks.
>>
>> Petr^2 Spacek
>>
>>> On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek <pspacek at redhat.com> wrote:
>>>
>>>> On 8.7.2015 15:07, Karl Forner wrote:
>>>>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <jpazdziora at redhat.com>
>>>> wrote:
>>>>>
>>>>>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
>>>>>>>
>>>>>>> When using my freeIPA DNS name server for my domain example.test, I
>>>> need
>>>>>> to
>>>>>>> exclude some names from the server( to be forwarded to the DNS
>>>> forwarder
>>>>>>> for instance.
>>>>>>>
>>>>>>> For example, I'd like foo.example.test not to be resolved, but
>>>> forwarded.
>>>>>>> How could I implement this ?
>>>>>>
>>>>>> That would mean you have two different nameservers authoritative for
>>>>>> the same DNS domain. That is generally not recommended setup.
>>>>>>
>>>>>
>>>>> Yes, that's what I read, but I do not know how to easily do
>> differently.
>>>>> But in the end, what I'd like for my users, is to have foo.example.test
>>>>> resolved from the outside to my external server IP, and from the inside
>>>> to
>>>>> the internal server IP.
>>>>
>>>> Such setup is generally not recommended because it is usually pain when
>> it
>>>> comes to long-term operation and maintenance.
>>>>
>>>> http://www.freeipa.org/page/DNS#Caveats
>>>> http://www.freeipa.org/page/Deployment_Recommendations#DNS
>>>>
>>>>
>>>> Two main use-cases are:
>>>>
>>>> a) Two or more different servers are using the same name and which
>> server
>>>> is
>>>> used depends on client's network.
>>>>
>>>> This is usually very cumbersome because DNS caching will play against
>> you,
>>>> especially when we introduce system-wide cache into Fedora 23.
>>>>
>>>> It is also hard to manage and debug because you have to ask the same
>>>> question
>>>> from different networks etc. And it will be harder when you deploy
>> DNSSEC
>>>> to
>>>> increase security...
>>>>
>>>> The typical recommendation is to use a sub-domain for internal names,
>> e.g.
>>>> i.example.com for internal names and example.com for
>>>> externally-resolvable names.
>>>>
>>>>
>>>> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
>>>>
>>>> Yes, it is as bad idea as it sounds.
>>>>
>>>>
>>>>>> Can't you make foo.example.test a CNAME to foo.example.org or another
>>>>>> hostname, in domain with different authoritative DNS server?
>>>>>>
>>>>>
>>>>> Hmm yes that should work, thanks !
>>>>
>>>> Please keep in mind that it only hides the problem under yet another
>> layer
>>>> of
>>>> indirection.
>>>>
>>>> <humor>
>>>> Yes, it is always possible! We know it because it is written in
>>>> The Twelve Networking Truths:
>> https://tools.ietf.org/html/rfc1925#page-2
>>>> point
>>>> (6) but you should take into account point (3) into account, too :-)
>>>> </humor>
>>>>
>>>> --
>>>> Petr^2 Spacek

More information about the Freeipa-users mailing list