dns
Integrated DNS
Built-in BIND DNS server with dynamic updates and DNSSEC support for seamless service discovery
Overview
FreeIPA includes an integrated DNS server based on BIND, providing seamless service discovery, dynamic DNS updates, and DNSSEC support. DNS is essential for Kerberos and LDAP service discovery, making it a critical component of the FreeIPA infrastructure.
Key Capabilities
Automated Service Records
FreeIPA automatically creates and maintains DNS records for services:
- SRV Records: Kerberos KDC, LDAP servers, and other services
- A/AAAA Records: IPv4 and IPv6 host records
- PTR Records: Reverse DNS lookups
- TXT Records: Kerberos realm information
- CNAME Records: Service aliases
Example SRV records created automatically:
_kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipa01.example.com.
_kerberos._udp.example.com. 86400 IN SRV 0 100 88 ipa01.example.com.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipa01.example.com.
_kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa01.example.com.Dynamic DNS Updates
Clients automatically update their DNS records:
- Host enrollment creates forward and reverse records
- IP address changes trigger automatic updates
- Secure updates using Kerberos authentication
- Client configuration via SSSD and dhclient
DNSSEC Support
Sign zones with DNSSEC for enhanced security:
- Inline Signing: Automatic signature generation
- Key Management: Automated key rotation
- DS Records: Parent zone delegation
- Trust Anchors: Secure zone validation
- NSEC3: Privacy-enhanced denial of existence
DNS Zone Management
Forward Zones
Create and manage forward lookup zones:
# Add DNS zone
ipa dnszone-add example.com \
--name-server=ipa01.example.com. \
--admin-email=admin.example.com
# Add DNS record
ipa dnsrecord-add example.com www \
--a-rec=192.168.1.100
# Add CNAME
ipa dnsrecord-add example.com blog \
--cname-rec=www.example.com.Reverse Zones
Configure reverse DNS for IP address resolution:
# Add reverse zone
ipa dnszone-add 1.168.192.in-addr.arpa. \
--name-server=ipa01.example.com.
# Add PTR record
ipa dnsrecord-add 1.168.192.in-addr.arpa. 100 \
--ptr-rec=www.example.com.Zone Delegation
Delegate subdomains to other DNS servers:
# Delegate subdomain
ipa dnsrecord-add example.com subdomain \
--ns-rec=ns1.subdomain.example.com.
# Add glue records
ipa dnsrecord-add example.com ns1.subdomain \
--a-rec=192.168.1.150DNSSEC Implementation
Zone Signing
Enable DNSSEC for zones:
# Enable DNSSEC
ipa dnszone-mod example.com --dnssec=true
# View DNSSEC keys
ipa dnskey-find example.com
# Get DS records for parent zone
ipa dnszone-show example.com --all | grep DSKey Management
FreeIPA automates DNSSEC key management:
- KSK (Key Signing Key): Long-lived keys for DNSKEY RRset
- ZSK (Zone Signing Key): Shorter-lived keys for zone data
- Automatic Rotation: Scheduled key rollovers
- Backup and Recovery: Secure key storage
Validation
Configure clients to validate DNSSEC:
# Test DNSSEC validation
dig +dnssec example.com SOA
# Verify signature
dig +dnssec +multi www.example.com ADynamic Updates
Client Configuration
Configure clients for dynamic updates:
# SSSD configuration for dynamic DNS
[domain/example.com]
dyndns_update = True
dyndns_refresh_interval = 86400
dyndns_update_ptr = True
dyndns_ttl = 3600Update Policies
Control who can update DNS records:
# Grant update permission
ipa dnszone-add-permission example.com \
--permission="Write DNS records"
# Grant to specific host
ipa dnsrecord-add-permission example.com host01 \
--permission="Update own record"Security
Secure dynamic updates with Kerberos:
- GSS-TSIG authentication
- Per-host update credentials
- ACL-based update policies
- Audit logging of all updates
DNS Views (Split-Horizon)
Serve different DNS responses based on client location:
# Create DNS view
ipa dnsview-add internal
ipa dnsview-add external
# Add zone to view
ipa dnszone-add example.com --view=internal
ipa dnszone-add example.com --view=external
# Different records per view
ipa dnsrecord-add example.com web --view=internal --a-rec=10.0.0.100
ipa dnsrecord-add example.com web --view=external --a-rec=203.0.113.100Integration Features
DHCP Integration
Coordinate with DHCP servers for automatic DNS updates:
# dhclient configuration
send fqdn.fqdn = "hostname.example.com";
send fqdn.encoded on;
send fqdn.server-update off;Load Balancing
Distribute load across multiple servers:
- Round-robin A records
- SRV record priorities and weights
- Geographic-based DNS responses
- Health checks and failover
Global Server Load Balancing
Use DNS for cross-datacenter load balancing:
# Multiple A records for load balancing
ipa dnsrecord-add example.com app \
--a-rec=192.168.1.10 \
--a-rec=192.168.2.10 \
--a-rec=192.168.3.10Advanced Features
DNS Forwarding
Forward queries for external domains:
# Add global forwarder
ipa dnsconfig-mod --forwarder=8.8.8.8 --forwarder=8.8.4.4
# Add per-zone forwarder
ipa dnsforwardzone-add external.com \
--forwarder=192.168.1.53 \
--forward-policy=onlyDNS Locations
Optimize client experience with location-based DNS:
# Create location
ipa location-add datacenter1
# Assign IPA servers to locations
ipa server-mod ipa01.example.com --location=datacenter1
# Location-specific DNS records created automaticallyDNS Root Hints
Configure root DNS servers for resolution:
# Update root hints
ipa dnsconfig-mod --root-hints=/var/named/named.caMonitoring and Troubleshooting
Query Logging
Enable query logging for troubleshooting:
# Enable DNS query logging
ipa dnsconfig-mod --allow-query-log=true
# View logs
tail -f /var/log/named/queries.logZone Transfers
Configure zone transfers for external DNS:
# Allow zone transfer
ipa dnszone-mod example.com \
--allow-transfer=192.168.1.50
# Notify secondary servers
ipa dnszone-mod example.com \
--also-notify=192.168.1.50Health Checks
Monitor DNS service health:
# Test resolution
dig @ipa01.example.com example.com SOA
# Test SRV records
dig @ipa01.example.com _ldap._tcp.example.com SRV
# Verify DNSSEC
dig @ipa01.example.com +dnssec example.com SOAUse Cases
Service Discovery
Enable automatic service location:
- Kerberos KDC discovery
- LDAP server discovery
- Mail server (MX) records
- SIP/VoIP infrastructure
- Kubernetes/container service discovery
Multi-Datacenter Deployments
Optimize traffic routing:
- Geographic load balancing
- Disaster recovery DNS failover
- Split-brain prevention
- Cross-site replication support
Cloud Hybrid Environments
Bridge on-premises and cloud:
- Forward zones for cloud services
- Reverse lookups for cloud IPs
- Hybrid Active Directory integration
- Cloud-based disaster recovery
Best Practices
- Redundancy: Deploy at least two DNS servers
- TTL Values: Balance between performance and flexibility
- DNSSEC: Enable for security-critical zones
- Monitoring: Track query rates and error rates
- Backups: Regular zone file backups
- Documentation: Document zone delegation and special records
- Testing: Test DNS changes in non-production first
- Security: Restrict zone transfers and dynamic updates
Performance Tuning
Caching
Optimize cache settings:
# BIND cache configuration
max-cache-size 512M;
max-cache-ttl 86400;Query Rate Limiting
Prevent DNS amplification attacks:
# Rate limiting configuration
rate-limit {
responses-per-second 5;
window 5;
};Getting Started
Set up DNS during FreeIPA installation:
# Install with integrated DNS
ipa-server-install --setup-dns \
--forwarder=8.8.8.8 \
--forwarder=8.8.4.4 \
--no-reverse
# Add DNS to existing installation
ipa-dns-install \
--forwarder=8.8.8.8 \
--forwarder=8.8.4.4Basic DNS operations:
# Create host with DNS records
ipa host-add server01.example.com --ip-address=192.168.1.101
# Add custom DNS record
ipa dnsrecord-add example.com vpn --a-rec=192.168.1.200
# View all records in zone
ipa dnsrecord-find example.com