We did this for a while and I wouldn't recommend it. Our servers eventually started being attacked and even though we weren't answering the queries, it still put a significant additional load and impacted legitimate users. We set up separate authoritative DNS servers that get the records from IPA, so there is a very small delay in updates (IPA doesn't support DNS NOTIFY), but any issues with the authoritative servers do not impact internal users - we use PowerDNS with a LUA script that updates the values of the SOA record and NS records. If you still want to publicly expose IPA, you might want to look into fail2ban or similar programs to block abusive connections.
- Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Sat, Mar 11, 2023, 8:57 AM Francis Augusto Medeiros-Logeay via FreeIPA-users <[email protected]> wrote: > Hi, > > I am considering using my current FreeIPA set-up - which has only .local > domains, to be authoritative for a domain name. Therefore, I might open > the port 53 to allow external queries. > > Is it a reasonable ok thing to do? And is there a way to use ACL's to > block queries that are not for that publicly-resoveable domain name? > > Best, > Francis > > -- > Francis Augusto Medeiros-Logeay > Oslo, Norway > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
