Hi Ian Thanks for this, this actually comes back to my first suggestion however I was wanting to hide that private IP nameserver information from public view (infosec teams would not be happy otherwise) and so I had wondered about using a DNS view to only allow the external IPs of my internal DNS servers to see the int.angusclarke.com delegation on my public DNS servers. I'm not sure if this is possible with glue records and suspect that the DNS software in use (bind, nsd etc) probably has a bearing on that too.
I found this in my bookmarks ... it's a bit old but one of the options M$ were recommending at this point in time was to not configure any delegation information in your public DNS at all; rather just to configure your in-house DNS recursor to forward requests for ipa.angusclarke.com to the internal DNS server that handles that namespace. https://docs.microsoft.com/en-gb/previous-versions/windows/it-pro/windows-server-2003/cc772970(v=ws.10) (see points 1. and 2. specifically) Delegating the subdomain from public DNS seems the more elegant (more correct?) option however the split view (or something) needs to be working to hide your delegation information from public view (infosec would insist.) Simply redirecting your internal DNS for a subdomain seems easier but probably isn't "the correct" way. I wonder how Rafael has his DNS configured for making use of private subdomains as mentioned here: > I have a (few) registered domain(s), which I use both as a public > facing server (static, github pages), and within my private network, > which no one from outside can see, I have a subdomain (ipa) which > I use for managing my users and hosts. Cheers Angus From: Ian Willis <fed...@checksum.net.au> Sent: 28 December 2021 01:55 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Rafael Jeffman <rjeff...@redhat.com>; Peter Larsen <pe...@peterlarsen.org> Cc: Dave Mintz <davemint...@gmail.com>; Angus Clarke <an...@charworth.com> Subject: Re: [Freeipa-users] Re: DNS and FreeIPA Hi Angus, Just be aware that maintaining parrellel records is an overhead in the longer term as it's a manual process of keeping things in sync. Delegation is a simpler more natural solution in general. Your pubic DNS servers can delegate to an internal DNS domain and then you'll only have the internal addresses of your DNS servers in the public domain. For example angusclark.com has public nameservers a.b.c.d and a.b.c.e which delegates int.angusclark.com to internal freeipa nameservers ipa1.int.angusclark.com 10.10.10.10 and ipa2.int.angusclark.com 10.10.10.11 using glue records on the public servers. The you just follow the bouncing ball for setting up freeipa with integrated DNS. Outbound Name resolution would use the freeipa servers which would forward to a convenient resolver or you do resolution via the root nameservers which is probably a more secure solution. -----Original Message----- From: Angus Clarke via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:angus%20clarke%20via%20freeipa-users%20%3cfreeipa-us...@lists.fedorahosted.org%3e>> Reply-To: FreeIPA users list <freeipa-users@lists.fedorahosted.org<mailto:freeipa%20users%20list%20%3cfreeipa-us...@lists.fedorahosted.org%3e>> To: Rafael Jeffman <rjeff...@redhat.com<mailto:rafael%20jeffman%20%3crjeff...@redhat.com%3e>>, Peter Larsen <pe...@peterlarsen.org<mailto:peter%20larsen%20%3cpe...@peterlarsen.org%3e>> Cc: Dave Mintz <davemint...@gmail.com<mailto:dave%20mintz%20%3cdavemint...@gmail.com%3e>>, FreeIPA users list <freeipa-users@lists.fedorahosted.org<mailto:freeipa%20users%20list%20%3cfreeipa-us...@lists.fedorahosted.org%3e>>, Angus Clarke <an...@charworth.com<mailto:angus%20clarke%20%3can...@charworth.com%3e>> Subject: [Freeipa-users] Re: DNS and FreeIPA Date: Mon, 27 Dec 2021 23:26:31 +0000 Thanks for your replies, I think I need to focus on internal resolver configuration and less on public subdomain delegation. Cheers Angus ________________________________ From: Rafael Jeffman <rjeff...@redhat.com> Sent: Monday, 27 December 2021, 11:11 pm To: Peter Larsen Cc: Angus Clarke; FreeIPA users list; Dave Mintz Subject: Re: [Freeipa-users] Re: DNS and FreeIPA Hello Angus, Besides what Peter has written, let's get this warning from FreeIPA site [1]: > **Avoid name collisions** > We strongly recommend that you do not use a domain name that is not > delegated to you, even on a private network. For example, you should > not use domain name > company.int<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcompany.int%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MclyFz3rEPrzI48VV%2Fv1KabWQ2fwLSCDNOkAvsHTInY%3D&reserved=0> > if you don't have valid delegation for > it in public DNS tree. As you can see, it is similar to what was on the Red Hat documentation you mentioned before. This first part of the warning says that you should not configure your domain name with some "random" name if you don't own the domain. For example, you should not use "cisco.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcisco.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HSIDyx%2BKgVc2cpm0RuvUby98dA5szPcEM1%2BwqWksZXE%3D&reserved=0>", "google.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kXzkvd%2FQb%2FsMc%2FCQJOynzJ2kiEhHRl1xZrr2w9GOrkA%3D&reserved=0>" or "redhat.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fredhat.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AZzcKs15fd21XD8tTzEomFu3zu09UYMlQg8jXv3imMM%3D&reserved=0>", even if your network is a private one. Note that, if it is a private network, you "could" do it, but you shouldn't do it. Why? The answer is on the warning itself: > If this rule is not respected, the domain name will be resolved differently > depending on the network configuration. As a result, network resources > will become unavailable. > Using domain names that are not delegated to > you also makes DNSSEC more difficult to deploy and maintain. For > further information about this issue please see the ICANN FAQ on > domain name collisions. Imagine you try to access google search and your private network uses 'google.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kXzkvd%2FQb%2FsMc%2FCQJOynzJ2kiEhHRl1xZrr2w9GOrkA%3D&reserved=0>' as the domain. You would probably be redirected to an internal server, instead of Google's search engine. (I'll not even get into DNSSEC issues.) So, you find everywhere about "a domain that is delegated to you", well, that domain is any domain you have registered (e.g.: angusclark.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fangusclark.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2Ba3YECG%2F7PByEF2OEqyYfHh%2BuZOd1SjvVe6UbqM%2FkfU%3D&reserved=0>). Even as your domain have nameserver which is probably not under your control (and controlled by whom you registered your domain), you have control over your domain, and as such, you can create subdomains on your private network that will not collide with any other domain (say, ipa.angusclark.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fipa.angusclark.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=S%2BnALNz7%2BHJ2xJL47pOpFGKFTju0PSspjdYkxYvTDnE%3D&reserved=0>). If you manage this domain from your internal FreeIPA servers, there will be no name collision. I have a (few) registered domain(s), which I use both as a public facing server (static, github pages), and within my private network, which no one from outside can see, I have a subdomain (ipa) which I use for managing my users and hosts. Regards, Rafael [1]: https://www.freeipa.org/page/Deployment_Recommendations<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.freeipa.org%2Fpage%2FDeployment_Recommendations&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vXaCW8COKq%2FvSJQd3YVPyaeVo05RmGyOHHi%2BoVc4hds%3D&reserved=0> On Mon, Dec 27, 2021 at 6:08 PM Peter Larsen <pe...@peterlarsen.org<mailto:pe...@peterlarsen.org>> wrote: On 12/27/21 15:27, Angus Clarke wrote: > Ok let's try this: > > I've just registered > angusclarke.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fangusclarke.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8UoQXx%2FBNsogimWtENxoTAEq%2B62B1FKvLgI6EunWnq8%3D&reserved=0> > with a public DNS provider and am > ready to deploy FreeIPA for my corporate network which uses a private > IP space. How do I do this? This is where things get odd for me. Why are you registering a TLD for a private DNS server? That makes no sense. Public domain servers require public access by definition. Otherwise they don't work. > According to this > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-configure_host_names#sec-Recommended_Naming_Practices<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F7%2Fhtml%2Fnetworking_guide%2Fch-configure_host_names%23sec-Recommended_Naming_Practices&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7WxwKCcmMvFGH0iK47nf7yRzNEmSN757k6vqIZIQFoU%3D&reserved=0> > > then I should have a domain delegated to me, but I am not a public DNS > provider, Which means you shouldn't register a domain. Just add the domain to freeIPA and have your clients use your FreeIPA dns server(s). Done. All free! > I'm just Angus Clarke ... Nor do I want my private IP space available > to be looked up in a public DNS record You don't. You cannot blow and have flour in your mouth at the same time. When you register a domain you MUST provide public NS servers which are authoritative for that domain which anyone querying your domain will be forwarded to. By definition they HAVE to be public. You can absolutely expose your FreeIPA name servers to the public, but it's a whole other issue if you want to, as the configuration and security gets a bit convoluted - but it can be done. > ... And I'd rather have my private IP records handled by my internal > DNS system - all of this is standard practise for companies and > individuals however I dont think this topic is suitably addressed in > the redhat documentation - I see a disconnect in the recommendation > pasted above vs the installation documentation for FreeIPA. For internal ONLY domains there is absolutely NO NEED to register a domain with a public DNS service. You can even pretend to be "cisco.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcisco.com%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HSIDyx%2BKgVc2cpm0RuvUby98dA5szPcEM1%2BwqWksZXE%3D&reserved=0>" or other addresses and your clients will happily use your DNS server (well, if DNSSEC is on it may not be that simple) instead of Cisco's. Public domains are for public access only. Your own network is your own domain (sic) and you can do what you want, without having to register anything. > > Maybe I've missed it, maybe I can promote the topic here and it can be > championed in the right direction, maybe I can even help on the topic > myself. You're making it a lot harder. Just install FreeIPA, configure DNS and add your domain. Set your DHCP server to use your FreeIPA server's IP the DNS server address for the clients, renew the DHCP leases and voila, they're using that domain you just defined, internally only resolving to internal addresses etc. -- Regards Peter Larsen _______________________________________________ FreeIPA-users mailing list -- <mailto:freeipa-users@lists.fedorahosted.org> freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to <mailto:freeipa-users-le...@lists.fedorahosted.org> freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xLK3RsNsnH4QkAO1avL5RPbIYru7kbWaiaYCr2DFAZk%3D&reserved=0> https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xLK3RsNsnH4QkAO1avL5RPbIYru7kbWaiaYCr2DFAZk%3D&reserved=0> List Guidelines: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4sOpY6TLSWX%2BbGOPaqyA3IWBQ%2F4r8ehpDHFrl8XGEMM%3D&reserved=0> https://fedoraproject.org/wiki/Mailing_list_guidelines<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497327894172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4sOpY6TLSWX%2BbGOPaqyA3IWBQ%2F4r8ehpDHFrl8XGEMM%3D&reserved=0> List Archives: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497328050395%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ep6jSEa7ZYJ8Vun48DTz%2BiiOM4MujciK%2BfZxgEb8CD0%3D&reserved=0> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497328050395%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ep6jSEa7ZYJ8Vun48DTz%2BiiOM4MujciK%2BfZxgEb8CD0%3D&reserved=0> Do not reply to spam on the list, report it: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497328050395%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=617%2BDwON1gnDpQgO7FgIbKy%2Bv%2FVAqhr3FcLS3QESwZg%3D&reserved=0> https://pagure.io/fedora-infrastructure<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7C%7C67257c8f33854eb94bbb08d9c99cbf2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762497328050395%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=617%2BDwON1gnDpQgO7FgIbKy%2Bv%2FVAqhr3FcLS3QESwZg%3D&reserved=0>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
