Hi Peter, Thank you so much! Could you please elaborate on how to configure the FreeIPA DNS server to forward only non-local-domain queries?
In the DNS Global Configuration there is the Forward policy Forward first Forward only Forwarding disabled Which one should be used to do what you say below? Do I need to set a Global forwarder? Best, Dave > On Dec 26, 2021, at 10:00 PM, Peter Larsen via FreeIPA-users > <[email protected]> wrote: > > On Sun, 2021-12-26 at 14:16 -0500, Dave Mintz via FreeIPA-users wrote: >> Hello, >> I have been trying to set up FreeIPA on an internal CentOS 8 server. >> I was successful in getting it running, I set up DNS for internal >> queries. It worked. However, when I tried to set up SSL certs I ran >> into issue. >> >> My question is this: >> I own a legitimate domain. >> It is not “hosted”. >> I have no intention of exposing any of my internal servers to the >> Internet. >> How do I go about configuring the DNS at my registrar so that when I >> configure my internal servers, including FreeIPA, DNS, SSL, email, >> etc., any requests that go out to the Internet will resolve >> correctly? >> >> Any help or pointers to documentation would be greatly appreciated. > > I have freeIPA with DNS over several replication instances running. The > domains are like yours mostly internal and not to resolve externally. > Without a lot of boring details, you do not need to register your TLD > if you just use the domain internally. As long as the resolver your > internal hosts point to is your authoritative DNS server that FreeIPA > manages, the clients will get responses as they need. > > This requires your server not to just blindly forward all DNS > externally. I have forward turned off on my domains. This means when a > client requests a public DNS address, the bind server managed by > FreeIPA will do a NS lookup to see where the request needs to be sent. > It's not 1.1.1.1 or similar services doing that. Works great for a > small network where your domain is 100% internal. > > You can have an external NS too and they can provide very different > answers. Perhaps you just want MX to resolve externally but an ocean of > internal addresses should not. If someone outside your network tries to > resolve an address, they will hit the external resolver (not managed by > FreeIPA!) and only resolve what it knows about. > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
