[Freeipa-users] DNS operation timed out when installing IPA with forwarders

Petr Spacek pspacek at redhat.com
Mon Feb 22 10:05:27 UTC 2016 

On 19.2.2016 15:09, Martin Basti wrote:
> On 19.02.2016 14:57, Geselle Stijn wrote:
>> That seems to fail:
>>
>> [root at ipa ~]# dig @192.168.1.1 . SOA
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> @192.168.1.1 . SOA ; (1 server
>> found) ;; global options: +cmd ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44900 ;; flags: qr rd
>> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4000
>> ;; QUESTION SECTION:
>> ;.                              IN      SOA
>>
>> ;; Query time: 11153 msec
>> ;; SERVER: 192.168.1.1#53(192.168.1.1)
>> ;; WHEN: Fri Feb 19 14:42:51 CET 2016
>> ;; MSG SIZE  rcvd: 28
>>
>>
>> But if I add a new record (e.g. CNAME) to DNS in Windows Server and try to
>> ping to that CNAME, I get resolved correctly.
>>
>> -Stijn
> Hello,
> 
> global forwarders, specified by --forwarder option during installation or
> added via ipa dnsconfig-mod, must be able to resolve root zone (your
> forwarder/server 192.168.1.1 is not able to return result for root zone).
> 
> You probably need to specify forwardzone, for the particular windows domain
> you use, instead of specify it as global forwarder.
> 
> ipa dnsforwardzone-add <your.windows.zone.> --forwarder 192.168.1.1

Martin could be right, but this depends on your setup.

Please read chapter "Managing DNS Forwarding" in our docs:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html

It explains the difference between global and per-zone forwarding (I hope :-)
so it will be easier to decide what should be used.

BTW does the command
$ dig @192.168.1.1 www.google.com. SOA
work?
(Assuming that neither google.com. nor com. are your AD domains :-))

Petr^2 Spacek

>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>> Sent: Friday 19 February 2016 13:59
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] DNS operation timed out when installing IPA
>> with forwarders
>>
>> On 19.2.2016 13:50, Geselle Stijn wrote:
>>> Hello fellow FreeIPA users,
>>>
>>> I'm trying to setup FreeIPA in a lab environment (VirtualBox):
>>>
>>>
>>> -          ad.example.com (Windows Server 2008 R2) - 192.168.1.1
>>>
>>> -          ipa.example.com (CentOS 7.2) - 192.168.1.2
>>> Both machines can ping each other, DNS resolving works:
>>>
>>> [root at ipa ~] nslookup ad
>>> Server:         192.168.1.1
>>> Address:     192.168.1.1#53
>>>
>>> Name:     ad.example.com
>>> Address: 192.168.1.1
>>>
>>>
>>> I executed:
>>>
>>> yum install -y "*ipa-server*" bind bind-dyndb-ldap ipa-server-install
>>> --domain=example.com --realm=EXAMPLE.COM --setup-dns
>>> --forwarder=192.168.1.1
>>>
>>> But the installation wizard fails at:
>>>
>>> Checking DNS forwarders, please wait ...
>>> ipa            : ERROR   DNS server 192.168.1.1: query '. SOA': The DNS
>>> operation timed out after 10.00124242 seconds
>>> ipa.ipapython.install.cli.install_tool(Server): ERROR     DNS server
>>> 192.168.1.1: query '. SOA': The DNS operation timed out after 10.00124242
>>> seconds
>>>
>>>
>>> Is there some way I can better troubleshoot this? Can I increase the DNS
>>> timeout (maybe it's simply slow via VirtualBox).
>> Please try command
>> $ dig @192.168.1.1 . SOA
>> and paste the output here.
>>
>> Also, please run the installer again with option --debug.
>>
>> I will have a look.
>>
>> Thank you.
>>
>> -- 
>> Petr^2 Spacek

More information about the Freeipa-users mailing list