On Пан, 16 сне 2024, Chmatos . via FreeIPA-users wrote:
Hosts of IPA after adding to IPA will lose ActiveDirectory primary DNS
domain. Hosts asking IPA DNS servers for AD domain instead of primary
DNS servers which are AD servers.
I have two new ipa servers with dns installed. Both servers have no
issue with DNS. I have problem only on added hosts.
Main DNS is AD servers with default domain mydomain.local
Newly installed IPA servers with DNS. I choose domain name lnxmydomain.local
On AD DNS serves I added to "Conditional Forwarders" my new IPA domain
"lnxmydomain.local" with IP addresses of my IPA servers. There are
multiple "Conditional Forwarders" for example myotherdomain.local
From IPA Hosts which have DNS servers AD DNS servers. If I go DNS
records myotherdomain.local. Host ask AD DNS servers it is working
completly without problem. I dont see any request on IPA DNS servers.
My issue:
If I try reach any mydomain.local from IPA Hosts. It brake DNS rule and
go directly to FreeIPA DNS servers, not to setuped AD DNS servers. I
see in named.log on IPA server this query and I see there is adding
with IPA domain suffix lnxmydomain.local, copletly it is
anythink.mydomain.local.lnxmydomain.local
From IPA HOST: ping: smtp.mydomain.local: Temporary failure in name
resolution
From IPA Server named.log:
10-Dec-2024 11:08:41.659 info: client @0x7fc260cc1558 192.168.1.10#59522
(smtp.mydomain.local.lnxmydomain.local): query:
smtp.mydomain.local.lnxmydomain.local IN A +E(0) (192.168.1.60)
10-Dec-2024 11:08:41.659 info: client @0x7fc250009b78 192.168.1.10#57236
(smtp.mydomain.local.lnxmydomain.local): query:
smtp.mydomain.local.lnxmydomain.local IN AAAA +E(0) (192.168.1.60)
How to avoid breaking DNS rule and not contacting IPA DNS server
instead of setuped AD DNS servers.
So from the log output above it is a client that actually sent expanded
DNS name for lookup. The DNS server only processes it and obviously
cannot do anything positive with that as the name 'smtp.mydomain.local'
does not exist in 'lnxmydomain.local' DNS zone, nor it can be forwarded
anywhere.
You need to look at the client's configuration in more details.
Host DNS configuration:
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 192.168.149.10
DNS Servers: 192.168.4.53 192.168.149.53 192.168.2.53
DNS Domain: lnxmydomain.local
Judging by this output, you are using systemd-resolved as your DNS
resolver configuration. The 'stub' part is saying that 127.0.0.53 is the
local resolver and systemd-resolved is handling any responses to local
DNS resolution.
My /etc/resolv.conf in a similar situation looks like this:
nameserver 127.0.0.53
options edns0 trust-ad
search domain1.tld domain2.tld ...
Because I have several VPN connections open and those VPN servers
instruct to look up several domains, my 'search' list line has multiple
domains there.
Can you show your /etc/resolv.conf from this client? And additionally
systemd-resolved configuration. The latter can be done with
# systemd-analyze cat-config systemd/resolved.conf
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
