James,

IMHO, I would not expose the FreeIPA hosts to Internet traffic, but rather keep them behind the firewall.  Then setup dedicated DNS servers that allow traffic from the Internet and set them up to do a zone copy or run a split-brain DNS (internal/external). Internal being the FreeIPA servers, external being the dedicated DNS servers.


-Mike


On 11/22/2017 9:51 AM, James Swineson via FreeIPA-users wrote:
Thanks. So I guess it is assumed safe to expose FreeIPA to Internet? This would make everything easier.

2017-11-22 22:42 GMT+08:00 Michael ORourke via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>:

    What I would do is perhaps replicate the zones onto dedicated DNS
    servers (not FreeIPA), or run a "split-brain" DNS which has
    dedicated DNS servers that has a smaller subset of records that
    are exposed to the Internet.

    -Mike


    On 11/22/2017 4:21 AM, James Swineson via FreeIPA-users wrote:
    Hi,

    I'm planning a FreeIPA fresh installation across multiple
    datacenters and offices. Concerned about the risk of DNS DDoS, I
    wanted to make most nodes in a mesh VPN so they can replicate
    without exposing ports to internet. However, I still need some
    services over internet. So can I set up every node just using IP
    addresses defined in VPN, but leave some nodes open on Internet?
    Will it work? Is there any hostname based check? And if it works,
    do I need to set up completely different 2 sets of DNS records
    used in LAN and WAN?

    Thanks,
    James Swineson


    _______________________________________________
    FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>


    _______________________________________________
    FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to