Skip to content

domain name service

To setup exactly what i need : resolve some addresses internally and relay all the rest :

visit

Here is some handy information from the freeIPA docs

Just read it :

Caveats applicable to DNS apply as usual. It is extremely hard to change DNS domain in existing installations so it is better to think ahead. Most importantly, do not shadow or hijack other DNS names! You should only use names which are delegated to you by the parent domain. For example, if your company Example, Inc. bought domain example.com. you can use any domain in this sub-tree, e.g. whatever.example.com.. Not respecting this rule will cause problems sooner or later! (This caveat includes inventing your own top-level domain like int.) Generally you will have problems with DNSSEC validation. This situation will be detected as domain hijacking. Even without DNSSEC, you will have problems if the same name is used by multiple parties at the same time, especially when new top-level domains are delegated or during company mergers. Internal-only domains It is perfectly fine to configure certain DNS zones to respond only to clients in certain subnets or to apply other kinds of access control. For internal names you can use arbitrary sub-domain in a DNS sub-tree you own, e.g. int.example.com.. Always respect rules from the previous section. DNS views / split-horizon DNS General advice about DNS views is do not use them because views make DNS deployment harder to maintain and security benefits are questionable (when compared with ACL). Problems: Using one name for multiple different machines (e.g. public vs. internal) is confusing. DNS caching on clients causes problems for machines roaming between different DNS views. DNSSEC deployment is harder to maintain when views are involved. Technically it is much cleaner to put all internal names in a sub-domain like int.example.com. (while example.com. is the public-facing domain) and restrict access to this sub-domain using ACL as described in the previous section.