[Freeipa-users] DNS operation timed out when installing IPA with forwarders

Geselle Stijn stijn.geselle at ypto.be
Wed Feb 24 12:19:49 UTC 2016 

Adding a forward zone like Martin suggested works.
I will definitely read the section you linked to get a better understanding of the differences between both.

Doing a dig for google.com won't work in our case, because the servers are not internet-facing.

Stijn

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
Sent: Monday 22 February 2016 11:05
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] DNS operation timed out when installing IPA with forwarders

On 19.2.2016 15:09, Martin Basti wrote:
> On 19.02.2016 14:57, Geselle Stijn wrote:
>> That seems to fail:
>>
>> [root at ipa ~]# dig @192.168.1.1 . SOA
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> @192.168.1.1 . SOA ; (1 
>> server
>> found) ;; global options: +cmd ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44900 ;; flags: 
>> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION:
>> ;.                              IN      SOA
>>
>> ;; Query time: 11153 msec
>> ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Feb 19 14:42:51 
>> CET 2016 ;; MSG SIZE  rcvd: 28
>>
>>
>> But if I add a new record (e.g. CNAME) to DNS in Windows Server and 
>> try to ping to that CNAME, I get resolved correctly.
>>
>> -Stijn
> Hello,
> 
> global forwarders, specified by --forwarder option during installation 
> or added via ipa dnsconfig-mod, must be able to resolve root zone 
> (your forwarder/server 192.168.1.1 is not able to return result for root zone).
> 
> You probably need to specify forwardzone, for the particular windows 
> domain you use, instead of specify it as global forwarder.
> 
> ipa dnsforwardzone-add <your.windows.zone.> --forwarder 192.168.1.1

Martin could be right, but this depends on your setup.

Please read chapter "Managing DNS Forwarding" in our docs:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html

It explains the difference between global and per-zone forwarding (I hope :-) so it will be easier to decide what should be used.

BTW does the command
$ dig @192.168.1.1 www.google.com. SOA
work?
(Assuming that neither google.com. nor com. are your AD domains :-))

Petr^2 Spacek

>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com 
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>> Sent: Friday 19 February 2016 13:59
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] DNS operation timed out when installing 
>> IPA with forwarders
>>
>> On 19.2.2016 13:50, Geselle Stijn wrote:
>>> Hello fellow FreeIPA users,
>>>
>>> I'm trying to setup FreeIPA in a lab environment (VirtualBox):
>>>
>>>
>>> -          ad.example.com (Windows Server 2008 R2) - 192.168.1.1
>>>
>>> -          ipa.example.com (CentOS 7.2) - 192.168.1.2
>>> Both machines can ping each other, DNS resolving works:
>>>
>>> [root at ipa ~] nslookup ad
>>> Server:         192.168.1.1
>>> Address:     192.168.1.1#53
>>>
>>> Name:     ad.example.com
>>> Address: 192.168.1.1
>>>
>>>
>>> I executed:
>>>
>>> yum install -y "*ipa-server*" bind bind-dyndb-ldap 
>>> ipa-server-install --domain=example.com --realm=EXAMPLE.COM 
>>> --setup-dns
>>> --forwarder=192.168.1.1
>>>
>>> But the installation wizard fails at:
>>>
>>> Checking DNS forwarders, please wait ...
>>> ipa            : ERROR   DNS server 192.168.1.1: query '. SOA': The DNS
>>> operation timed out after 10.00124242 seconds
>>> ipa.ipapython.install.cli.install_tool(Server): ERROR     DNS server
>>> 192.168.1.1: query '. SOA': The DNS operation timed out after 
>>> 10.00124242 seconds
>>>
>>>
>>> Is there some way I can better troubleshoot this? Can I increase the 
>>> DNS timeout (maybe it's simply slow via VirtualBox).
>> Please try command
>> $ dig @192.168.1.1 . SOA
>> and paste the output here.
>>
>> Also, please run the installer again with option --debug.
>>
>> I will have a look.
>>
>> Thank you.
>>
>> --
>> Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list