[Freeipa-users] DNS operation timed out when installing IPA with forwarders
Petr Spacek
pspacek at redhat.com
Mon Feb 22 10:05:27 UTC 2016
On 19.2.2016 15:09, Martin Basti wrote:
> On 19.02.2016 14:57, Geselle Stijn wrote:
>> That seems to fail:
>>
>> [root at ipa ~]# dig @192.168.1.1 . SOA
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> @192.168.1.1 . SOA ; (1 server
>> found) ;; global options: +cmd ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44900 ;; flags: qr rd
>> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4000
>> ;; QUESTION SECTION:
>> ;. IN SOA
>>
>> ;; Query time: 11153 msec
>> ;; SERVER: 192.168.1.1#53(192.168.1.1)
>> ;; WHEN: Fri Feb 19 14:42:51 CET 2016
>> ;; MSG SIZE rcvd: 28
>>
>>
>> But if I add a new record (e.g. CNAME) to DNS in Windows Server and try to
>> ping to that CNAME, I get resolved correctly.
>>
>> -Stijn
> Hello,
>
> global forwarders, specified by --forwarder option during installation or
> added via ipa dnsconfig-mod, must be able to resolve root zone (your
> forwarder/server 192.168.1.1 is not able to return result for root zone).
>
> You probably need to specify forwardzone, for the particular windows domain
> you use, instead of specify it as global forwarder.
>
> ipa dnsforwardzone-add <your.windows.zone.> --forwarder 192.168.1.1
Martin could be right, but this depends on your setup.
Please read chapter "Managing DNS Forwarding" in our docs:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html
It explains the difference between global and per-zone forwarding (I hope :-)
so it will be easier to decide what should be used.
BTW does the command
$ dig @192.168.1.1 www.google.com. SOA
work?
(Assuming that neither google.com. nor com. are your AD domains :-))
Petr^2 Spacek
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>> Sent: Friday 19 February 2016 13:59
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] DNS operation timed out when installing IPA
>> with forwarders
>>
>> On 19.2.2016 13:50, Geselle Stijn wrote:
>>> Hello fellow FreeIPA users,
>>>
>>> I'm trying to setup FreeIPA in a lab environment (VirtualBox):
>>>
>>>
>>> - ad.example.com (Windows Server 2008 R2) - 192.168.1.1
>>>
>>> - ipa.example.com (CentOS 7.2) - 192.168.1.2
>>> Both machines can ping each other, DNS resolving works:
>>>
>>> [root at ipa ~] nslookup ad
>>> Server: 192.168.1.1
>>> Address: 192.168.1.1#53
>>>
>>> Name: ad.example.com
>>> Address: 192.168.1.1
>>>
>>>
>>> I executed:
>>>
>>> yum install -y "*ipa-server*" bind bind-dyndb-ldap ipa-server-install
>>> --domain=example.com --realm=EXAMPLE.COM --setup-dns
>>> --forwarder=192.168.1.1
>>>
>>> But the installation wizard fails at:
>>>
>>> Checking DNS forwarders, please wait ...
>>> ipa : ERROR DNS server 192.168.1.1: query '. SOA': The DNS
>>> operation timed out after 10.00124242 seconds
>>> ipa.ipapython.install.cli.install_tool(Server): ERROR DNS server
>>> 192.168.1.1: query '. SOA': The DNS operation timed out after 10.00124242
>>> seconds
>>>
>>>
>>> Is there some way I can better troubleshoot this? Can I increase the DNS
>>> timeout (maybe it's simply slow via VirtualBox).
>> Please try command
>> $ dig @192.168.1.1 . SOA
>> and paste the output here.
>>
>> Also, please run the installer again with option --debug.
>>
>> I will have a look.
>>
>> Thank you.
>>
>> --
>> Petr^2 Spacek
More information about the Freeipa-users
mailing list