Dear list,
I'm thinking of making our border devices our primary port of call for DNS , and setting them to forward to FreeIPA. I found an inconclusive thread saying that this might break dyndns for my otherwise happy IPA clients. Does dyndns working rely upon clients having IPA servers setups as their DNS server? I couldn't see an sssd option of "send updates here (only use this NIC)".
I am hoping to avoid having to use the route of getting DHCP to update DNS instead!
Thanks as always,
David
On 11/07/2024 14:36, David Harvey via FreeIPA-users wrote:
Dear list,
I'm thinking of making our border devices our primary port of call for DNS , and setting them to forward to FreeIPA. I found an inconclusive thread saying that this might break dyndns for my otherwise happy IPA clients. Does dyndns working rely upon clients having IPA servers setups as their DNS server? I couldn't see an sssd option of "send updates here (only use this NIC)".
There are two parts to the DNS update process.
SSSD first needs to decide if a DNS update is necessary. It does this by querying the system's configured nameservers for the system's hostname, and checking the A/AAAA RRs in the response. So as long as 'delv -i $HOSTNAME' keeps working, this should be fine.
If, as a result of that query, SSSD decides an update is necessary, then it will launch nsupdate(1) to perform the update. nsupdate tries to determine the DNS zone's primary server by doing the equivalent of 'delv -i -t SOA ipa.example.com'. It then sends DNS update commands to the primary server directly.
Therefore, if you block the ability for your IPA clients to connect directly to your IPA servers on either port 53/tcp or 53/udp then you'll break dynamic DNS updates. But other than those DNS update commands, I wouldn't expect to see DNS traffic headed directly to your IPA servers, because most general purpose DNS lookups on your IPA clients will be from NSS and/or DNS client libraries talking to the system's configured resolvers.
Super helpful, thank you Sam!
On Thu, 11 Jul 2024, 18:01 Sam Morris via FreeIPA-users, < freeipa-users@lists.fedorahosted.org> wrote:
On 11/07/2024 14:36, David Harvey via FreeIPA-users wrote:
Dear list,
I'm thinking of making our border devices our primary port of call for DNS , and setting them to forward to FreeIPA. I found an inconclusive thread saying that this might break dyndns for my otherwise happy IPA clients. Does dyndns working rely upon clients having IPA servers setups as their DNS server? I couldn't see an sssd option of "send updates here (only use this NIC)".
There are two parts to the DNS update process.
SSSD first needs to decide if a DNS update is necessary. It does this by querying the system's configured nameservers for the system's hostname, and checking the A/AAAA RRs in the response. So as long as 'delv -i $HOSTNAME' keeps working, this should be fine.
If, as a result of that query, SSSD decides an update is necessary, then it will launch nsupdate(1) to perform the update. nsupdate tries to determine the DNS zone's primary server by doing the equivalent of 'delv -i -t SOA ipa.example.com'. It then sends DNS update commands to the primary server directly.
Therefore, if you block the ability for your IPA clients to connect directly to your IPA servers on either port 53/tcp or 53/udp then you'll break dynamic DNS updates. But other than those DNS update commands, I wouldn't expect to see DNS traffic headed directly to your IPA servers, because most general purpose DNS lookups on your IPA clients will be from NSS and/or DNS client libraries talking to the system's configured resolvers.
-- Sam Morris https://robots.org.uk/ PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org