So I was having a DNS mess the other day and decided to clean it up.
Before, I was running Unbound on pfSense which then had a domain override to
the IPA box. It would forward all queries and IPA-wise all was well.
Problem was that the domain was also used for a bunch of other things, like the
outside world, and DHCP leases, because I want to be able to FQDN my machines
and VM’s.
At first, I thought I could somehow make a weird multi-master setup, or have
Unbound rewrite queries or selectively forward or ignore the authoritative
status of DNS servers, but
that’s a rather nasty hackish way to attempt to fix things, so I went for the
option to have DHCPd feed it’s leases and updates to BIND, and make Unbound the
2nd DNS server in case of an IPA meltdown.
This turned out to be not-so-easy as you can’t use GSSAPI on the pfSense box
and the IPA interface doesn’t allow you to create keys just like that.
Solution? Manual edits!
Now, I’m not sure if they will be preserved, but since I was using SaltStack to
manage pretty much everything config-wise, I just make sure it keeps my
settings around.
Here is how to configure things:
BIND-side:
1. Open /etc/named.conf in a root editor
2. Insert a key like this:
key "dhcp-key" {
algorithm hmac-md5;
secret “base64_string_here=";
};
Where the string “dhcp-key” can be anything, but you should remember what you
put in there.
The Secret is a base64 string, if you are slightly clueless about that, use:
echo “yoursecrethere” | base64
and you will get your base64 string. Stick it in between the quotes and you’re
good.
3. Next, log in to the IPA UI and go to the Zone you’d like to have DHCP
dynamically push to.
4. Click settings and turn on “Dynamic update” if it’s not on already
5. Add an update policy, in this format:
grant dhcp-key wildcard * ANY;
This is rather insecure as you give anything that authenticates using the key
called “dhcp-key” full update rights for all types on that zone.
So if you want to restrict it, do so as you please. I believe it at least wants
A and AAAA records and probably TXT.
6. Click the update button and you are all set on this end. Note: if you want
to have reverse lookups as well, you have to repeat step 5 for the reverse zone
too!
pfSense-side:
1. In pfSense, go to the DHCP server page
2. Enable "Enable registration of DHCP client names in DNS.”
3. Enter the domain name of the zone you configured in IPA for dynamic updates
4. Enter the required fields (IP of the IPA server, the name (which is dhcp-key
in this example) and the base64 string you generated
5. Press save and you’re good!
A few extra’s:
- You could add IPA as an NTP server here as well
- You should add the IPA server as the 1st DNS server
- You can add pfSense as the 2nd DNS server if you like
Please remember that at this point no DNS-related stuff on pfSense is used
anymore as all clients will talk to IPA for their DNS needs from now on.
If all you need is the one domain name, for example, if you use a unique domain
just for internal IPA use, you’re better off using the domain override.
I hope this helps someone, and might work as a basis for more robust and secure
configuration, as this is something I just came up with today in a test
environment.
John
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
