Hi, the various settings are explained in DNS forward policies in IdM <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/working_with_dns_in_identity_management/managing-global-dns-configuration-in-idm-using-ansible-playbooks_working-with-vaults-in-idm#dns-forward-policies-in-idm_managing-global-dns-configuration-in-idm-using-ansible-playbooks> .
By default, the DNS server does not forward queries if they are related to a zone for which it is authoritative (=for zones listed in *ipa dnszone-find*). For other zones: - if they are defined as a forward zone (configured with *ipa dnsforwardzone-add*), the zone forwarder/policy is used - if they are not defined as a forward zone, the general configuration applies (global forwarder and global policy or per-server forwarder and policy if they exist). flo On Mon, Dec 27, 2021 at 5:40 AM Dave Mintz via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Peter, > > Thank you so much! > Could you please elaborate on how to configure the FreeIPA DNS server to > forward only non-local-domain queries? > > In the DNS Global Configuration there is the Forward policy > Forward first > Forward only > Forwarding disabled > > Which one should be used to do what you say below? > Do I need to set a Global forwarder? > > Best, > Dave > > > > On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote: > >> Hello, > >> I have been trying to set up FreeIPA on an internal CentOS 8 server. > >> I was successful in getting it running, I set up DNS for internal > >> queries. It worked. However, when I tried to set up SSL certs I ran > >> into issue. > >> > >> My question is this: > >> I own a legitimate domain. > >> It is not “hosted”. > >> I have no intention of exposing any of my internal servers to the > >> Internet. > >> How do I go about configuring the DNS at my registrar so that when I > >> configure my internal servers, including FreeIPA, DNS, SSL, email, > >> etc., any requests that go out to the Internet will resolve > >> correctly? > >> > >> Any help or pointers to documentation would be greatly appreciated. > > > > I have freeIPA with DNS over several replication instances running. The > > domains are like yours mostly internal and not to resolve externally. > > Without a lot of boring details, you do not need to register your TLD > > if you just use the domain internally. As long as the resolver your > > internal hosts point to is your authoritative DNS server that FreeIPA > > manages, the clients will get responses as they need. > > > > This requires your server not to just blindly forward all DNS > > externally. I have forward turned off on my domains. This means when a > > client requests a public DNS address, the bind server managed by > > FreeIPA will do a NS lookup to see where the request needs to be sent. > > It's not 1.1.1.1 or similar services doing that. Works great for a > > small network where your domain is 100% internal. > > > > You can have an external NS too and they can provide very different > > answers. Perhaps you just want MX to resolve externally but an ocean of > > internal addresses should not. If someone outside your network tries to > > resolve an address, they will hit the external resolver (not managed by > > FreeIPA!) and only resolve what it knows about. > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
