What I would do is perhaps replicate the zones onto dedicated DNS
servers (not FreeIPA), or run a "split-brain" DNS which has dedicated
DNS servers that has a smaller subset of records that are exposed to the
Internet.
-Mike
On 11/22/2017 4:21 AM, James Swineson via FreeIPA-users wrote:
Hi,
I'm planning a FreeIPA fresh installation across multiple datacenters
and offices. Concerned about the risk of DNS DDoS, I wanted to make
most nodes in a mesh VPN so they can replicate without exposing ports
to internet. However, I still need some services over internet. So can
I set up every node just using IP addresses defined in VPN, but leave
some nodes open on Internet? Will it work? Is there any hostname based
check? And if it works, do I need to set up completely different 2
sets of DNS records used in LAN and WAN?
Thanks,
James Swineson
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org