Hi,
I am considering using my current FreeIPA set-up - which has only .local domains, to be authoritative for a domain name. Therefore, I might open the port 53 to allow external queries.
Is it a reasonable ok thing to do? And is there a way to use ACL's to block queries that are not for that publicly-resoveable domain name?
Best, Francis
We did this for a while and I wouldn't recommend it. Our servers eventually started being attacked and even though we weren't answering the queries, it still put a significant additional load and impacted legitimate users. We set up separate authoritative DNS servers that get the records from IPA, so there is a very small delay in updates (IPA doesn't support DNS NOTIFY), but any issues with the authoritative servers do not impact internal users - we use PowerDNS with a LUA script that updates the values of the SOA record and NS records. If you still want to publicly expose IPA, you might want to look into fail2ban or similar programs to block abusive connections.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Sat, Mar 11, 2023, 8:57 AM Francis Augusto Medeiros-Logeay via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi,
I am considering using my current FreeIPA set-up - which has only .local domains, to be authoritative for a domain name. Therefore, I might open the port 53 to allow external queries.
Is it a reasonable ok thing to do? And is there a way to use ACL's to block queries that are not for that publicly-resoveable domain name?
Best, Francis
-- Francis Augusto Medeiros-Logeay Oslo, Norway _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks a lot Yehuda. That was exactly what I was fearing. I think I'll just keep the externally resolvable names on my registrar and the internally ones on FreeIPA to avoid the complexity.
Best,
--- Francis Augusto Medeiros-Logeay Oslo, Norway
On 2023-03-12 02:35, Yehuda Katz via FreeIPA-users wrote:
We did this for a while and I wouldn't recommend it. Our servers eventually started being attacked and even though we weren't answering the queries, it still put a significant additional load and impacted legitimate users. We set up separate authoritative DNS servers that get the records from IPA, so there is a very small delay in updates (IPA doesn't support DNS NOTIFY), but any issues with the authoritative servers do not impact internal users - we use PowerDNS with a LUA script that updates the values of the SOA record and NS records. If you still want to publicly expose IPA, you might want to look into fail2ban or similar programs to block abusive connections.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Sat, Mar 11, 2023, 8:57 AM Francis Augusto Medeiros-Logeay via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi,
I am considering using my current FreeIPA set-up - which has only .local domains, to be authoritative for a domain name. Therefore, I might open the port 53 to allow external queries.
Is it a reasonable ok thing to do? And is there a way to use ACL's to block queries that are not for that publicly-resoveable domain name?
Best, Francis
-- Francis Augusto Medeiros-Logeay Oslo, Norway _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org