We are running FreeIPA version 4.6.8 on Centos 7.9.2009 and have multiple dns zones defined for local resources running inside our private network. For this to work we enter our ipa server's IP address as the DNS server on our internal network. Everything works as expected but I'm confused as to how external sites are being resolved. If I execute dig google.com, the response shows the ipa server IP is queried as shown below.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6083
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 142.250.65.174
;; AUTHORITY SECTION:
google.com. 150064 IN NS ns4.google.com.
google.com. 150064 IN NS ns1.google.com.
google.com. 150064 IN NS ns2.google.com.
google.com. 150064 IN NS ns3.google.com.
;; ADDITIONAL SECTION:
ns2.google.com. 150040 IN A 216.239.34.10
ns1.google.com. 150040 IN A 216.239.32.10
ns3.google.com. 150040 IN A 216.239.36.10
ns4.google.com. 150040 IN A 216.239.38.10
ns2.google.com. 150040 IN AAAA 2001:4860:4802:34::a
ns1.google.com. 150040 IN AAAA 2001:4860:4802:32::a
ns3.google.com. 150040 IN AAAA 2001:4860:4802:36::a
ns4.google.com. 150040 IN AAAA 2001:4860:4802:38::a
;; Query time: 10 msec
;; SERVER: 10.xx.xx.xx#53(10.xx.xx.xx) <<<---- Our FreeIPA server IP
;; WHEN: Tue Oct 26 11:38:02 EDT 2021
;; MSG SIZE rcvd: 303
Since I do not have a global forwarder defined or any other forwarders defined, I don't understand which DNS server is queried next if a DNS zone does not exist in our FreeIPA? Are the name servers defined in /etc/resolv.conf looked at?
What I am try to figure out is how to implement DNS filtering. My goal is to have DNS queries first look into FreeIPA to resolve local resources and then look to the DNS server at 185.228.168.10 (CleanBrowsing Filtered DNS).
