Hi Rafael I appreciate your response but we're (just me?) still lacking in direction as to how to properly use your software in the real world - to me It feels like an admins vs devs topic although I could easily be missing something :)
I mention the Microsoft documentation because i haven't found anything on this topic in RedHat land. I just remember the MS docs being the only source of useful information when last I checked. Ok let's try this: I've just registered angusclarke.com with a public DNS provider and am ready to deploy FreeIPA for my corporate network which uses a private IP space. How do I do this? According to this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-configure_host_names#sec-Recommended_Naming_Practices then I should have a domain delegated to me, but I am not a public DNS provider, I'm just Angus Clarke ... Nor do I want my private IP space available to be looked up in a public DNS record ... And I'd rather have my private IP records handled by my internal DNS system - all of this is standard practise for companies and individuals however I dont think this topic is suitably addressed in the redhat documentation - I see a disconnect in the recommendation pasted above vs the installation documentation for FreeIPA. Maybe I've missed it, maybe I can promote the topic here and it can be championed in the right direction, maybe I can even help on the topic myself. Regards Angus From: Rafael Jeffman <rjeff...@redhat.com> Sent: Monday, 27 December 2021, 8:15 pm To: Angus Clarke Cc: FreeIPA users list; Dave Mintz; Peter Larsen Subject: Re: [Freeipa-users] Re: DNS and FreeIPA Hello Angus, On Mon, Dec 27, 2021 at 11:31 AM Angus Clarke <an...@charworth.com<mailto:an...@charworth.com>> wrote: Hi Rafael What is not clear to me is how to integrate FreeIPA with a real public DNS domain, which I think is what Dave is referring to as he mentioned he owns a legitimate domain. In any case, AFAIK we're not supposed to use made up domains for internal DNS anymore ... Although you shouldn't use a domain name you don't own, if your DNS server is not visible outside of your network, the issues you have with domain names would be contained to your local network (like not being able to access 'awellknowsearch.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fawellknowsearch.com%2F&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293209877512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=F%2Bm6waII7%2BKFGZwgXPsitUP4nP1ARtgYwLWr8Kjz9Fo%3D&reserved=0>' if you use this domain name in your own network). I see the docs talk about server.idm.example.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fserver.idm.example.com%2F&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293209877512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WR4hbnSJY5YPEIKH3XQKfw7AYr62%2BWGFp8O8dCwxCdc%3D&reserved=0> - presumably example.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ixbu%2FoHejSN3LYI2jf1THGffeXPRH%2FWzHECWYYRFNlg%3D&reserved=0> is supposed to be some legitimate DNS domain and idm.example.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fidm.example.com%2F&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BLqzpbIVwA4FMIzHTOBn%2Bdbcfj2LL13TNeLqs%2BfJJzU%3D&reserved=0> is a delegated subdomain, although this doesn't appear to be explained. Microsoft docs talk about using delegated subdomains of legitimate public DNS domains for internal corporate DNS, which is what got me into this train of thought in the first place. Delegating a subdomain to a private IP (your internal DNS server) and hiding that delegation with a split view on your public DNS is one way of hiding the subdomain from public view whilst keeping all your private DNS data private and hosted/managed in house. Whether you use FreeIPA's DNS for internally hosting idm.example.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fidm.example.com%2F&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BLqzpbIVwA4FMIzHTOBn%2Bdbcfj2LL13TNeLqs%2BfJJzU%3D&reserved=0> or not is a matter of choice I suppose. A delegated subdomain is simply a subdomain for which the authoritative DNS server is not the same as the main domain. I'm not sure about which Microsoft docs you mention, but on Azure, subdomain delegation might be required depending on what you want to do on Azure. For private subdomains, if you have full control of the domain/hosts, there might not be a need to delegate the subdomain (as in Peter Larsen's message). Also, if you consider using split view, FreeIPA DNS should not be used, and if you use an external DNS any configuration should be carried on that DNS provider, so it is not a matter of configuring DNS within FreeIPA. The discussion on configuring FreeIPA DNS only makes sense if using FreeIPA's integrated DNS. Whilst I'm here and at the opposite end of this topic, I run bad.domain for our FreeIPA DNS domain (going back years to the original installation) with the realm BAD - I'm getting a bit uncomfortable about this configuration and wondered if I'll drop out of support at some point - any thoughts on that? (I surely can't be the only one!) I haven't used FreeIPA's DNS. If you don't use FreeIPA's DNS, there is no problem in using whatever your DNS nameserver supports, as long as FreeIPA entries are correct and accessible. You may find which records need to be available with `ipa dns-update-system-records --dry-run`. Hope this helps, Rafael Thanks Angus ________________________________ From: Rafael Jeffman via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Sent: Monday, 27 December 2021, 1:31 pm To: FreeIPA users list Cc: Dave Mintz; Peter Larsen; Rafael Jeffman Subject: [Freeipa-users] Re: DNS and FreeIPA Sorry for the top reply, but this is more an overview about all messages than a direct answer. Everything here assumes you are using FreeIPA's integrated DNS. First, it was suggested that split view DNS is used. Don't do that, as it is not supported by FreeIPA. Use it only if you manage your own external DNS, without using FreeIPA to manage entries. Regarding forwarding DNS queries, the easiest way is to set a global forwarder. In my home lab I use public ones, like Google and Cloudflare, and I'm not much concerned about external traffic, so I leave the default configuration, "forward first", enabled. You can find more information about the available options here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/working_with_dns_in_identity_management/managing-global-dns-configuration-in-idm-using-ansible-playbooks_working-with-vaults-in-idm#dns-forward-policies-in-idm_managing-global-dns-configuration-in-idm-using-ansible-playbooks<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F8%2Fhtml%2Fworking_with_dns_in_identity_management%2Fmanaging-global-dns-configuration-in-idm-using-ansible-playbooks_working-with-vaults-in-idm%23dns-forward-policies-in-idm_managing-global-dns-configuration-in-idm-using-ansible-playbooks&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4VKKXq7JUh8F4TenCI%2FREBIQ7Q73t3bZOqCIyU4CYnw%3D&reserved=0> A lot more about working with DNS can be found https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/working_with_dns_in_identity_management/index<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F8%2Fhtml%2Fworking_with_dns_in_identity_management%2Findex&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rQax0TqkbUnOgu5aowvc1JGnhesxW5nOEpZq6MiASgI%3D&reserved=0> Regards, Rafael On Mon, Dec 27, 2021 at 1:40 AM Dave Mintz via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Peter, Thank you so much! Could you please elaborate on how to configure the FreeIPA DNS server to forward only non-local-domain queries? In the DNS Global Configuration there is the Forward policy Forward first Forward only Forwarding disabled Which one should be used to do what you say below? Do I need to set a Global forwarder? Best, Dave > On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users > <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> > wrote: > > On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote: >> Hello, >> I have been trying to set up FreeIPA on an internal CentOS 8 server. >> I was successful in getting it running, I set up DNS for internal >> queries. It worked. However, when I tried to set up SSL certs I ran >> into issue. >> >> My question is this: >> I own a legitimate domain. >> It is not “hosted”. >> I have no intention of exposing any of my internal servers to the >> Internet. >> How do I go about configuring the DNS at my registrar so that when I >> configure my internal servers, including FreeIPA, DNS, SSL, email, >> etc., any requests that go out to the Internet will resolve >> correctly? >> >> Any help or pointers to documentation would be greatly appreciated. > > I have freeIPA with DNS over several replication instances running. The > domains are like yours mostly internal and not to resolve externally. > Without a lot of boring details, you do not need to register your TLD > if you just use the domain internally. As long as the resolver your > internal hosts point to is your authoritative DNS server that FreeIPA > manages, the clients will get responses as they need. > > This requires your server not to just blindly forward all DNS > externally. I have forward turned off on my domains. This means when a > client requests a public DNS address, the bind server managed by > FreeIPA will do a NS lookup to see where the request needs to be sent. > It's not 1.1.1.1 or similar services doing that. Works great for a > small network where your domain is 100% internal. > > You can have an external NS too and they can provide very different > answers. Perhaps you just want MX to resolve externally but an ocean of > internal addresses should not. If someone outside your network tries to > resolve an address, they will hit the external resolver (not managed by > FreeIPA!) and only resolve what it knows about. > > > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jjVtj5d%2Ff21rp5F4PJNQM5XTLLkGVJ%2Bx2nJBm2soHKU%3D&reserved=0> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=KHAaDW0mtselbAUGT7ZnHbyPtl8wQ5INTivF5z0tH7Q%3D&reserved=0> > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=q63xPyetqfbWfWDOJBcEsGtmEHQJHLXXOhU2zexmfGs%3D&reserved=0> > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=M3pf8trBXWnSxzF76B0vowdjBVNBTA7NPwAln4W7aYg%3D&reserved=0> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jjVtj5d%2Ff21rp5F4PJNQM5XTLLkGVJ%2Bx2nJBm2soHKU%3D&reserved=0> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=KHAaDW0mtselbAUGT7ZnHbyPtl8wQ5INTivF5z0tH7Q%3D&reserved=0> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=q63xPyetqfbWfWDOJBcEsGtmEHQJHLXXOhU2zexmfGs%3D&reserved=0> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7C%7C0b84dd4f0fd541fde04708d9c96d3934%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762293210033735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=M3pf8trBXWnSxzF76B0vowdjBVNBTA7NPwAln4W7aYg%3D&reserved=0> -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
