Hello friends,
I have FreeIPA version 4.8.10 on FC 33. Installation went trough and when I try NSLOOKUP, and selected server is 127.0.0.53, I can resolve freeipa host (actual hostname of the server) and internet, for instance google.com. Then in NSLOOKUP I set server to 10.0.0.2 (this is the private IP of the freeipa) and check if it can resolve freeipa server - and it can. But then I try the google.com after and it fails - it fails basically anything outside of what it hosts. I tried installation with forwarders but that failed every time I entered our country's DNS and even with using 1.1.1.1
So in short - freeipa can resolve anything if using 127.0.0.53 but nothing if using 10.0.0.2 - that means that no host on internal network can resolve anything if using freeipa as DNS server.
Please help as I cannot use anything on the net as no global address is resolving right now. THX in advance!
On to, 12 marras 2020, Damjan Kumin via FreeIPA-users wrote:
Hello friends,
I have FreeIPA version 4.8.10 on FC 33. Installation went trough and when I try NSLOOKUP, and selected server is 127.0.0.53, I can resolve freeipa host (actual hostname of the server) and internet, for instance google.com. Then in NSLOOKUP I set server to 10.0.0.2 (this is the private IP of the freeipa) and check if it can resolve freeipa server - and it can. But then I try the google.com after and it fails - it fails basically anything outside of what it hosts. I tried installation with forwarders but that failed every time I entered our country's DNS and even with using 1.1.1.1
127.0.0.53 is systemd-resolved, your local caching resolver on Fedora 33 by default.
FreeIPA DNS server has detected it and configured itself to automatically be proxied to by systemd-resolved on the same host.
If you cannot resolve anything by talking directly to FreeIPA DNS server, check that your configuration does not have broken DNSSEC upstream DNS servers and IPA DNS is in fact is validating DNSSEC responses.
Check /etc/named/ipa-options-ext.conf to see if it is enforcing dnssec validation.
If using forwarders in ipa-server-install 'failed', you would see debug information about those failures in /var/log/ipaserver-install.log.
Use 'ipa help dns' to learn about various IPA commands related to DNS server operations. For each of the commands listed there, you can get more help with 'ipa <command> --help'.
thx Alexander for such a quick reply. So here is mine.
On this newly deployed freeipa there are *no* files under /etc/named/ - directory is empty. I looked from backup of old ipa server, there is one file called "ipa-ext.conf" but it is empty. Not sure how can I disable then DNSSEC check because I believe that server that I use does not provide DNSSEC (though I need to check this).
On the note of failed installation, in log I see: 2020-11-12T18:55:34Z DEBUG The ipa-server-install command failed, exception: RuntimeError: DNS server 193.2.1.66: query '. SOA': The DNS operation timed out after 11.602912902832031 seconds 2020-11-12T18:55:34Z ERROR DNS server 193.2.1.66: query '. SOA': The DNS operation timed out after 11.602912902832031 seconds 2020-11-12T18:55:34Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Any other thought? Thx in advance!
On to, 12 marras 2020, Damjan Kumin via FreeIPA-users wrote:
thx Alexander for such a quick reply. So here is mine.
On this newly deployed freeipa there are *no* files under /etc/named/ - directory is empty. I looked from backup of old ipa server, there is one file called "ipa-ext.conf" but it is empty. Not sure how can I disable then DNSSEC check because I believe that server that I use does not provide DNSSEC (though I need to check this).
On the note of failed installation, in log I see: 2020-11-12T18:55:34Z DEBUG The ipa-server-install command failed, exception: RuntimeError: DNS server 193.2.1.66: query '. SOA': The DNS operation timed out after 11.602912902832031 seconds 2020-11-12T18:55:34Z ERROR DNS server 193.2.1.66: query '. SOA': The DNS operation timed out after 11.602912902832031 seconds 2020-11-12T18:55:34Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
This means 193.2.1.66 is not usable as a forwarder to query . SOA record. May be it is not accessible at all or may be it does not allow to query that.
What happens if you'd ask it manually from the same machine?
dig @193.2.1.66 .
From my side I am (obviously) getting refusal:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 13166 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available
;; Query time: 68 msec ;; SERVER: 193.2.1.66#53(193.2.1.66) ;; WHEN: to marras 12 22:15:01 EET 2020 ;; MSG SIZE rcvd: 12
Huh, interestingly enough, I only get
[damjank@freeipa ~]$ dig @193.2.1.66 .
; <<>> DiG 9.11.24-RedHat-9.11.24-2.fc33 <<>> @193.2.1.66 . ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached
OK so as per your instructions, I used 1.1.1.1 as DNS forwarder and completely disabled DNSSEC check. In the web interface it still said error but it is working now - if I query external addresses, they get resolved correctly, also, together with all other zones defined on IPA. Thx!
freeipa-users@lists.fedorahosted.org