Hi, to my knowledge IPA's DNS server is Bind. And this server is working as recursive DNS for internal domains.
Question: Can I use this DNS server for recursive DNS request of external domains, too? If yes, how?
My intention is to send client request to Pi-hole first for DNS filtering; Pi-hole will act as DHCP, too. If IPA's DNS server bind does recurse, then I would have it set as the upstream to Pi-hole. Client --> Pi-hole --> IPA --> Internet
In case IPA's DNS server does not support recurse DNS for external domains, then I consider to add another service proving recurse DNS only: unbound DNS. Client --> Pi-hole --> IPA --> Unbound --> Internet
We're planning to set it up this way. Going to be switching from our old cobbled together LDAP / etc solution to FreeIPA "Soon" (tm).
Have tested things. You'll have to make some changes from defaults.
First, for any replica that is going to be serving DNS publicly (in our case, only a few will, the rest will not be accessible) you'll want to change them so they're can't be used as recursive resolvers by the entire Internet. You'll of course also want to limit the firewall so that only DNS traffic from outside reaches it, ideally. No point being any more exposed than necessary.
In named.conf you'll want to make the following changes :
< allow-recursion { any; };
---
allow-recursion { internal; };
then somewhere down below (in the 'top' level of configuration, not inside the same section as allow-recursion) add:
acl "internal" {
10.0.0.0/8;
localhost;
localnets;
};
Assuming 10.0.0.0/8 is your internal IP space. Obviously substitute / add IP ranges as needed. You can also rename it so it's something other than 'internal', just make sure the allow-recursion line and the acl name match. This way your own clients can still recursively resolve but the Internet can't.
Second, to make sure you're handing out public IPs for the name servers themselves, you'll want to add extra DNS records for them with the public IPs. i.e. ours FreeIPA servers are nominally ipa-11.example.com, ipa-12.example.com, etc, but we added ns11.example.com, ns12.example.com etc correspondingly for the ones that will be externally accessible as A records to the external IPs that correspond with those servers. You'll then remove the default FreeIPA NS records (i.e. 'ipa11.example.com') and add these newly added domains (i.e. 'ns11.example.com') as NS records so that nobody tries to resolve against inaccessible hosts.
Next, in the DNS Zones > (zone) > Settings page, set the Authoritive nameserver to one of the externally accessible names (not entirely sure this matters because the next step ... )
Next, for each externally accessible server, DNS Servers > (server) and change SOA mname override to your externally accesible name (i.e. ' ns11.example.com.' - I believe it should have the trailing dot, that's how we're set up and it worked)
I *think* that was all the steps needed. I initially tested this late last year so I may be missing something from memory and skimming our test instance's configuration.
On Tue, Jan 22, 2019 at 5:17 AM 74cmonty via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi, to my knowledge IPA's DNS server is Bind. And this server is working as recursive DNS for internal domains.
Question: Can I use this DNS server for recursive DNS request of external domains, too? If yes, how?
My intention is to send client request to Pi-hole first for DNS filtering; Pi-hole will act as DHCP, too. If IPA's DNS server bind does recurse, then I would have it set as the upstream to Pi-hole. Client --> Pi-hole --> IPA --> Internet
In case IPA's DNS server does not support recurse DNS for external domains, then I consider to add another service proving recurse DNS only: unbound DNS. Client --> Pi-hole --> IPA --> Unbound --> Internet _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hm... I think my question was not clear, therefore I'll try to repeat it with a better description.
Therefore I simply take an example from Pi-hole directly: "Pi-hole as All-Around DNS Solution" (https://docs.pi-hole.net/guides/unbound/) This means that basically this procedure should work with Pi-hole + FreeIPA. 1. My client asks the Pi-hole: Who is pi-hole.net? (or any other external domain) 2. My Pi-hole will check its cache and reply if the answer is already known. 3. My Pi-hole will check the blocking lists and reply if the domain is blocked. 4. Since neither 2. nor 3. is true in our example, the Pi-hole delegates the request to the (local) recursive DNS resolver. 5. My recursive server will send a query to the DNS root servers: "Who is handling .net?" 6. The root server answers with a referral to the TLD servers for .net. 7. My recursive server will send a query to one of the TLD DNS servers for .net: "Who is handling pi-hole.net?" 8. The TLD server answers with a referral to the authoritative name servers for pi-hole.net. 9. My recursive server will send a query to the authoritative name servers: "What is the IP of pi-hole.net?" 10. The authoritative server will answer with the IP address of the domain pi-hole.net. 11. My recursive server will send the reply to your Pi-hole which will, in turn, reply to your client and tell it the answer of its request. 12. Lastly, your Pi-hole will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.
So, based on this procedure, can I use FreeIPA's DNS server "bind" as recursive server for Pi-hole?
THX
Yes. I thought you were asking about hosting publicly resolvable DNS zones (i.e. example.com vs something that resolves internally only).
Out of the box, FreeIPA defaults to recursive lookups. So just point the Pi-holes to your FreeIPA server(s) for recursion and everything should just work, without any extra steps.
On Thu, Jan 24, 2019 at 10:31 AM 74cmonty via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hm... I think my question was not clear, therefore I'll try to repeat it with a better description.
Therefore I simply take an example from Pi-hole directly: "Pi-hole as All-Around DNS Solution" (https://docs.pi-hole.net/guides/unbound/) This means that basically this procedure should work with Pi-hole + FreeIPA.
- My client asks the Pi-hole: Who is pi-hole.net? (or any other external
domain) 2. My Pi-hole will check its cache and reply if the answer is already known. 3. My Pi-hole will check the blocking lists and reply if the domain is blocked. 4. Since neither 2. nor 3. is true in our example, the Pi-hole delegates the request to the (local) recursive DNS resolver. 5. My recursive server will send a query to the DNS root servers: "Who is handling .net?" 6. The root server answers with a referral to the TLD servers for .net. 7. My recursive server will send a query to one of the TLD DNS servers for .net: "Who is handling pi-hole.net?" 8. The TLD server answers with a referral to the authoritative name servers for pi-hole.net. 9. My recursive server will send a query to the authoritative name servers: "What is the IP of pi-hole.net?" 10. The authoritative server will answer with the IP address of the domain pi-hole.net. 11. My recursive server will send the reply to your Pi-hole which will, in turn, reply to your client and tell it the answer of its request. 12. Lastly, your Pi-hole will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.
So, based on this procedure, can I use FreeIPA's DNS server "bind" as recursive server for Pi-hole?
THX _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
74cmonty -
Jonathan Vaughn