2

My IPA server's named.conf has this in it since I chose to enter a forwarder address during the ipa-server-install.

forward first;
    forwarders {
            132.206.44.21;
            132.216.44.21;
    };

Now I can only resolve hostnames through this forwarder and the ipa-client hosts I've joined on my network are ignored. I know the local hosts are in the local DNS because I can do ipa dnsrecord-show hostname and it gives the IP. Why is it ignoring this when I do ping or nslookup? I thought the forward first policy is supposed to fall back on the local DNS unlike forward only policy?

I've also tried:

ipa dnsconfig-mod --forwarder=''
ipa dnszone-mod --forwarder='' zonename
ipa dnszone-mod --forward-policy=none zonename
service named restart

no joy :(

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Jesse Stacey
  • 21
  • 1
  • 2

1 Answers1

0

The forwarders in named.conf are separate from the forwarders set by IPA commands. The both sets of forwarders apply simultaneously. You need to remove forwarders or update them in named.conf.

See Documentation of FreeIPA for explanation of the behavior of forwarder policies.

Additionally, check that your /etc/resolv.conf actually specifies IP address of IPA DNS server.

Abhijeet Kasurde
  • 983
  • 9
  • 20
abbra
  • 1,085
  • 5
  • 8
  • Yes, the resolv.conf of the server does point to itself but if I do a nslookup on the server name it fails since the external DNS forwarder for McGill U only resolves external stuff. I've tried commenting out the forwarders in the the named.conf but when I restart the named service it fails. I wish I could just do ipa-server-install again but all my end users have already ssh'd into this IPA server and set their passwords, so I don't want to lose that. – Jesse Stacey Apr 26 '15 at 04:13
  • Without seeing error messages it is hard to guess what your problem is. Can you show what failure is displayed by named? – abbra Apr 26 '15 at 20:48
  • So I have an idea of whats happening now. After installing freeipa server I used a script to import my old NIS server's passwd and hosts file. After that, the web interface listed all the users and hostnames properly, but there were no A-name records in the DNS records. Even when I add a client to the realm using ipa-client-install it will say something about could not add a DNS entry for the host, and I did specify auto DNS updates in my zone. However if I add an A name record manually through web interface, nslookup works fine for the host. I dread having to add 255 hosts manually. – Jesse Stacey Apr 29 '15 at 03:46
  • You can use `ipa dnsrecord-add` and script that. – abbra Apr 29 '15 at 19:26