On 06/19/2018 12:33 PM, Tyrell Jentink wrote:
Yeah, this was a struggle for me, too... Not just the forward domains, but
the reverse zones, too. It all required some thinking, and I think I'm
about to change some of it... But this is what I did at the get-go:
My domain name, let's use example.com, points at my public website, and my
FreeIPA domain is only accessible internally; I just don't have a need to
authenticate outside of the network.
My desired setup is similar to yours, except that my public web presence
just a port forward to an internal machine. I will need to authenticate
on that machine.
Inside the network, I have three DNS servers... One is just a resolver on a
OPNSense firewall, and lives at 10.0.0.1. That isn't authoritative on any
domain.
The second is FreeIPA, lives at 10.42.1.10 and it serves the lin.example.com
subdomain and the 1.42.10.arpa reverse domain. It has a conditional
forwarder to forward requests under win.example.com to 10.42.2.10
The third is ActiveDirectory, serves the win.example.com subdomain and the
2.42.10.arpa reverse domain. It has a conditional forwarder to forward
requests under lin.example.com to 10.42.1.10.
Both of the authoritative servers point unresolved addresses to the
resolver at 10.0.0.1; It forwards to 1.1.1.1.
You run into problems if any given domain has two authoritative servers;
That is in both the forward and reverse domains, so you have to ensure that
each subdomain has a unique name -AND- a unique IP Address Space.
Does that set you on the right path, or do you need me to retry?
Yes, this helps. I really didn't want to learn more about DNS and BIND,
but clearly it's necessary. The thing that was tripping me up was the
need to send DNS updates to an authoritative server. The only
authoritative server currently on my internal network is for the
ipa.example.com domain. If a client is not in that domain, then the DNS
updates are sent to the SOA of example.com. This fails since my DNS
host is not configured to support this. Now that I understand what is
going on, I need to decide how to best move forward. It feels like I
need a lot of infrastructure for what is a tiny network. Perhaps I'm
feeling how Richard Owlett is feeling about his network.
galen
--
Galen Seitz
gal...@seitzassoc.com
_______________________________________________
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug
