So I was having a DNS mess the other day and decided to clean it up.
Before, I was running Unbound on pfSense which then had a domain override to 
the IPA box. It would forward all queries and IPA-wise all was well.
Problem was that the domain was also used for a bunch of other things, like the 
outside world, and DHCP leases, because I want to be able to FQDN my machines 
and VM’s.

At first, I thought I could somehow make a weird multi-master setup, or have 
Unbound rewrite queries or selectively forward or ignore the authoritative 
status of DNS servers, but
that’s a rather nasty hackish way to attempt to fix things, so I went for the 
option to have DHCPd feed it’s leases and updates to BIND, and make Unbound the 
2nd DNS server in case of an IPA meltdown.

This turned out to be not-so-easy as you can’t use GSSAPI on the pfSense box 
and the IPA interface doesn’t allow you to create keys just like that. 
Solution? Manual edits!
Now, I’m not sure if they will be preserved, but since I was using SaltStack to 
manage pretty much everything config-wise, I just make sure it keeps my 
settings around.

Here is how to configure things:


1. Open /etc/named.conf in a root editor
2. Insert a key like this:

key "dhcp-key" {
   algorithm   hmac-md5;
   secret       “base64_string_here=";

Where the string “dhcp-key” can be anything, but you should remember what you 
put in there.
The Secret is a base64 string, if you are slightly clueless about that, use: 
echo “yoursecrethere” | base64
and you will get your base64 string. Stick it in between the quotes and you’re 

3. Next, log in to the IPA UI and go to the Zone you’d like to have DHCP 
dynamically push to.
4. Click settings and turn on “Dynamic update” if it’s not on already
5. Add an update policy, in this format:

grant dhcp-key wildcard * ANY;

This is rather insecure as you give anything that authenticates using the key 
called “dhcp-key” full update rights for all types on that zone.
So if you want to restrict it, do so as you please. I believe it at least wants 
A and AAAA records and probably TXT.

6. Click the update button and you are all set on this end. Note: if you want 
to have reverse lookups as well, you have to repeat step 5 for the reverse zone 


1. In pfSense, go to the DHCP server page
2. Enable "Enable registration of DHCP client names in DNS.”
3. Enter the domain name of the zone you configured in IPA for dynamic updates
4. Enter the required fields (IP of the IPA server, the name (which is dhcp-key 
in this example) and the base64 string you generated
5. Press save and you’re good!

A few extra’s:

- You could add IPA as an NTP server here as well
- You should add the IPA server as the 1st DNS server
- You can add pfSense as the 2nd DNS server if you like

Please remember that at this point no DNS-related stuff on pfSense is used 
anymore as all clients will talk to IPA for their DNS needs from now on.
If all you need is the one domain name, for example, if you use a unique domain 
just for internal IPA use, you’re better off using the domain override.

I hope this helps someone, and might work as a basis for more robust and secure 
configuration, as this is something I just came up with today in a test 


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to