We did this for a while and I wouldn't recommend it. Our servers eventually started being attacked and even though we weren't answering the queries, it still put a significant additional load and impacted legitimate users. We set up separate authoritative DNS servers that get the records from IPA, so there is a very small delay in updates (IPA doesn't support DNS NOTIFY), but any issues with the authoritative servers do not impact internal users - we use PowerDNS with a LUA script that updates the values of the SOA record and NS records. If you still want to publicly expose IPA, you might want to look into fail2ban or similar programs to block abusive connections.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.