We did this for a while and I wouldn't recommend it. Our servers eventually
started being attacked and even though we weren't answering the queries, it
still put a significant additional load and impacted legitimate users. We
set up separate authoritative DNS servers that get the records from IPA, so
there is a very small delay in updates (IPA doesn't support DNS NOTIFY),
but any issues with the authoritative servers do not impact internal users
- we use PowerDNS with a LUA script that updates the values of the SOA
record and NS records. If you still want to publicly expose IPA, you might
want to look into fail2ban or similar programs to block abusive connections.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Sat, Mar 11, 2023, 8:57 AM Francis Augusto Medeiros-Logeay via
FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
I am considering using my current FreeIPA set-up - which has only .local
domains, to be authoritative for a domain name. Therefore, I might open
the port 53 to allow external queries.
Is it a reasonable ok thing to do? And is there a way to use ACL's to
block queries that are not for that publicly-resoveable domain name?
Best,
Francis
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue