We did this for a while and I wouldn't recommend it. Our servers eventually started being attacked and even though we weren't answering the queries, it still put a significant additional load and impacted legitimate users. We set up separate authoritative DNS servers that get the records from IPA, so there is a very small delay in updates (IPA doesn't support DNS NOTIFY), but any issues with the authoritative servers do not impact internal users - we use PowerDNS with a LUA script that updates the values of the SOA record and NS records. If you still want to publicly expose IPA, you might want to look into fail2ban or similar programs to block abusive connections.

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Sat, Mar 11, 2023, 8:57 AM Francis Augusto Medeiros-Logeay via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hi,

I am considering using my current FreeIPA set-up - which has only .local
domains, to be authoritative for a domain name. Therefore, I might open
the port 53 to allow external queries.

Is it a reasonable ok thing to do? And is there a way to use ACL's to
block queries that are not for that publicly-resoveable domain name?

Best,
Francis

--
Francis Augusto Medeiros-Logeay
Oslo, Norway
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue