[Freeipa-users] basic question on DNS configuration

Wed Feb 4 10:39:30 UTC 2015

Thank you Craig and Martin for your useful input.

You both definitely recommend not to use example.com for the internal IPA
DNS.

I was in any case going to avoid .local suffix and any invented top-level
domain, after some reading on this topic.

Using a subdomain like internal.example.com seems reasonable.
I was under the impression that the freeIPA domain needed to be a top-level
one, but maybe I was wrong here? Can I still keep example.com outside and
have freeIPA manage internal.example.com?

On 4 February 2015 at 10:34, Martin Basti <mbasti at redhat.com> wrote:

>  On 03/02/15 16:52, Craig White wrote:
>
>  *From:* freeipa-users-bounces at redhat.com [
> mailto:freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com>]
> *On Behalf Of *Roberto Cornacchia
> *Sent:* Tuesday, February 03, 2015 5:20 AM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] basic question on DNS configuration
>
>
>
> Hi guys,
>
>
>
> I can't wait to get freeIPA installed in our small enterprise, but I'd
> first like to get a couple of basic things straight.
>
>
>
> My first doubt is about the DNS configuration. Currently, we use a setting
> that I guess is rather common for small enterprises:
>
>
>
> We own an example.com domain which is managed by the DNS of an external
> provider.
>
>
>
> A couple of subdomains point to public IP addresses outside our local
> network (e.g. www.example.com is hosted at our internet provider,
> server1.example.com points at a server hosted in a datacenter, etc).
>
>
>
> All the remaining subdomain (*.example.com) point at one IP which
> corresponds to our local router.
>
> Then we use some simple forwarding rules to forward on to machines that
> are behind the router (service1.example.com, desktop1.example.com,
> desktop2.example.com, etc).
>
>
>
> Internally, because the enterprise is rather small, we are not using a
> DNS, but simply /etc/hosts files on each machine. When they can't resolve
> whatever.example.com, then the request goes to the external DNS.
>
>
>
> (sorry about the long-ish background information, probably this
> configuration is commonly named somehow, but I don't know how)
>
>
>
> Now, a first simple question for you guys would be:
>
> When installing freeIPA, with DNS, is the network configuration above
> still advisable? Can there be any problem? Or should I rather use a
> different domain for the internal network (I would really NOT like this
> option, but I'm very interested to know why I should, if that is the case).
>
>
>
>
>
> A second basic question is:
>
> Would you see any potential problem in installing freeIPA on a FC21 Server
> which currently hosts Atlassian Jira + Atlassian Stash (therefore git
> repositories) + the required mysql databases?
>
> My guess would be that they would not interfere, as:
>
> - httpd (and related ports) is currently unused)
>
> - Both Jira and Stash use thier own tomcat installation on custom ports
>
> - mysql shouldn't be a problem?
>
> - The machine isn't overloaded at all (4-5 developers use those services)
>
>
>
> Am I overlooking something? Obviously I'd rather have a dedicated freeIPA
> server, but if the above mentioned coexistence isn't a problem, then this
> would be more cost-effective.
>
>
>
> Thank you very much for your help, I'm looking forward to this upgrade.
>
> Roberto
>
> I would recommend that you create a ‘local’ domain for your internal LAN
> though you certainly can use your domain name for both the internal LAN and
> the external world. Obviously you would have to create ‘manual’ entries in
> DNS for the external servers (like www.example.com) so your internal LAN
> systems can resolve it. If you have a ‘local’ domain for your internal LAN,
> there aren’t name collisions, no need to manually maintain DNS entries for
> off-LAN servers and no confusion of essentially faking your LAN systems
> into believing that the IPA server is authoritative for example.com
> domain when the rest of the world thinks otherwise. The choice is yours.
>
>
>
> As for using F21 – you get the latest version of FreeIPA which is
> something I wish I had here.
>
>
>
> Git / Stash / Jira represent a fairly hefty memory footprint even if there
> isn’t that much CPU load. If you have the RAM and cpu cores to handle
> tossing FreeIPA onto the stack, go for it. You probably will want a replica
> too as the replica keeps your LAN running if the primary server is
> unavailable for whatever reason and it minimizes backup needs substantially.
>
>
>
> Craig
>
>
>
>
>  Hello,
>
> For using 'local.' domain please read following message, to avoid issues
> on Fedora:
> https://www.redhat.com/archives/freeipa-users/2015-February/msg00010.html
>
> You cant use 'example.com' zone for internal IPA DNS.
>
> You can create your internal sub zone, like 'internal.example.com', '
> corp.example.com', where IPA managed hosts will be added. It is preferred
> solution instead of creating '.local' hostnames.  Then you can set up
> global forwarder on IPA DNS to your external DNS, where other names than '
> internal.example.com' will be resolved.
>
> If I understand correctly, it is internal network, so you do not need
> public resolvable domain names.
>
> --
> Martin Basti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150204/8c1d03cd/attachment.htm>