[Freeipa-users] DNS question on named.ca

Petr Spacek pspacek at redhat.com
Wed Oct 19 07:30:40 UTC 2016 

On 19.10.2016 00:55, Sean Hogan wrote:
> 
> Hi all,
> 
>    I have a DNS question on how/why my IPA DNS servers are trying to hit
> the root DNS internet servers.  My IPA servers are in private networks only
> serving DNS for the private domains they manage but recently the network
> team
> indicated they see my ipa IPs trying to hit the outside world.  After
> obtaining the logs I noticed they are trying to hit the internet root DNS
> servers.  I then tracked down named.ca on the IPAs which correlates to the
> IPs the network
> team is showing.  I then found named.conf references named.ca for hints.
> 
> This is where I imagine it is coming from in named.conf
> 
> zone "." IN {
> 	type hint;
> 	file "named.ca";
> };
> 
> Question is how can I stop my IPA DNS servers from trying to hit the
> internet root DNS servers?  

The answer depends on your environment.

If you are on isolated network and *have your own DNS root domain*, you have
couple of options:
a) specify only IP addresses of your root servers to named.ca file (recommended)

b) use global forwarding with policy only to forward to some other DNS server,
which is properly configured

c) add the root zone to IPA and configure *other* servers with root hints or
forwarders (just create zone named '.' and add appropriate delegations to
sub-zones as usual)


If your requirement is to have IPA DNS servers which do not reply to anything
else except DNS zones they are authoritative for, set allow-recursion policy
to "none;". In that case BIND will not run recursive resolution and thus not
try to contact root servers. It needs to be set in /etc/named.conf, IPA does
not support this setting.

Beware, IPA installer may rewrite named.conf when you run ipa-dns-install or
so. In that case just edit it again.

For all the gory details please see
https://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html

I hope it helps.

Petr^2 Spacek


> I was thinking commenting out named.ca in
> named.conf but imagine bad things happening.
> I guess I could also make a new file for named.ca and reference it in
> named.conf...then scp it to the other ipas but no idea as to the syntax
> (giving it a shot at bottom of email) or if it can be empty.  Any help is
> appreciated.
> 
> 
> IPA clients resolv.conf are set for search domain and the nameserver IPs of
> the IPA servers.
> 
> Versions:
> ipa-server-3.0.0-50.el6.1.x86_64
> bind-9.8.2-0.47.rc1.el6.x86_64
> 
> Commands used for server install:
>  ipa-server-install --setup-dns
> 
> 
> 
> Attempt at correct syntax if I need a file with info in it..file named say
> fakenamed.ca
> If my IPA servers are named DNS1  10.10.10.1/2001:7fd::1 and DNS2
> 10.10.10.2/2001:503:c27::2:30 would this work or not even need?
> 
> ; OPERATED BY ME
> ;
> .                        3600000      NS    DNS1.
> DNS1.      3600000      A     10.10.10.1
> DNS1.      3600000      AAAA  2001:7fd::1
> ;
> ; OPERATED BY ME
> ;
> .                        3600000      NS    DNS2.
> DNS2.      3600000      A     10.10.10.2
> DNS2.      3600000      AAAA  2001:503:c27::2:30
> 
> 
> 
> Sean Hogan

More information about the Freeipa-users mailing list