1

We have an vpc setup on a private cloud provider (it looks like a cheap knock off of aws…) and I wanted to install freeipa for easier user management.

I installed freeipa with its dns management (bind) because from what I’ve read in the documentation dns is pretty important because of kerberos.

But I’m a little puzzeld about how (whats the correct way) to include the freeipa dns servers for clients, should I just add the freeipa server in the clients /etc/hosts file or add them in the clients /etc/resolv.conf file?

Tnx, Tom

Tomislav Mikulin
  • 149
  • 1
  • 8
  • If the network is served via dhcp you could set dns servers via dhcp options. /etc/resolve.conf is in many distributions automatically generated, and could therefore be problematic. – hargut Jun 08 '19 at 10:19

1 Answers1

2

This can't be answered in a general way - you have to configure it in whatever way the systems you use configures DNS. This is different between e.g. Ubuntu 16.04 and Ubuntu 19.04 and CentOS 7. DHCP is always an option to abstract this away.

One important possible misconception though: You don't have to add the FreeIPA DNS server as an additional DNS server to the clients, but as the only DNS server (which in turn should want you to have redundancy with a second FreeIPA instance).

Sven
  • 98,649
  • 14
  • 180
  • 226
  • so every dns resolving will go the the freeipa server which will answer all requests for my domain, and will forward all other requests to 8.8.8.8 (or whatever), so ideally I have to add the dhcp options that will propagate the freeipa dns servers that I want for my clients... – Tomislav Mikulin Jun 08 '19 at 10:42
  • Multiple entries of dns servers in resolve.conf are only useful for failover. If the first server beeing queried returns NXDOMAIN the resolver takes this answer as answer and stops. Resolvers will typically only use the second specified server when the first cannot be reached. – hargut Jun 08 '19 at 11:03
  • So Is there a way to query the custom freeipa domain and also the google or opendns servers from the client side? – Tomislav Mikulin Jun 08 '19 at 16:43
  • As you wrote, you need to configure the FreeIPA DNS server to forward queries that it can't answer, just as you would configure any other DNS server to do the same. You then point your clients to that server (or servers, if you were clever and introduced redundancy). For the clients, this is transparent, but it only works if they don't have also external DNS servers configured directly. – Sven Jun 08 '19 at 16:49
  • Cool, tnx...... – Tomislav Mikulin Jun 10 '19 at 17:49