Join Log in
Score:0
avatar Server

FreeIPA not resolving itself

ec flag
cclloyd

I plan on using FreeIPA as my authoritative DNS server for my network. All other records resolve just fine, however, FreeIPA is not resolving itself.

Running dig ipa-hermes.lan.example.com yields no A records

bash-5.1# dig ipa-hermes.lan.example.com @10.0.1.14

; <<>> DiG 9.16.19 <<>> ipa-hermes.lan.example.com @10.0.1.14
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41126
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 807dd469a5469a178451c9da61831d41ae78b56eaed7d5e2 (good)
;; QUESTION SECTION:
;ipa-hermes.lan.example.com. IN A

;; AUTHORITY SECTION:
example.com.  3600    IN      SOA     ipa-hermes.lan.example.com. hostmaster.example.com. 1635981510 3600 900 1209600 3600

;; Query time: 0 msec
;; SERVER: 10.0.1.14#53(10.0.1.14)
;; WHEN: Wed Nov 03 23:37:37 UTC 2021
;; MSG SIZE  rcvd: 140

From the IPA server shell, pinging ipa-hermes.lan.example.com returns the correct address, but that's because it's using 127.0.0.53 as the DNS when I dont specify a server.

Furthermore, I have a Unbound (currently unused, as DHCP sets the DNS to the FreeIPA server) on OPNSense. Running dig using this server returns the correct A record.

bash-5.1# dig ipa-hermes.lan.example.com @10.0.0.1

; <<>> DiG 9.16.19 <<>> ipa-hermes.lan.example.com @10.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12014
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ipa-hermes.lan.example.com. IN A

;; ANSWER SECTION:
ipa-hermes.lan.example.com. 3600 IN A 10.0.1.14

;; Query time: 0 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Wed Nov 03 23:43:00 UTC 2021
;; MSG SIZE  rcvd: 81

Looking at the records on the IPA server, it IS there.

❯ ipa dnsrecord-find
Zone name: lan.example.com
  Record name: @
  A record: 10.0.0.1
  NS record: ipa-hermes.lan.example.com.

  ...other records

  Record name: ipa-ca
  A record: 10.0.1.14

  Record name: ipa-hermes
  A record: 10.0.1.14

  Record name: test
  A record: 10.0.2.2
-----------------------------
Number of entries returned 19
-----------------------------

Is there anything else I'm missing as to why this would not be working?

110
0 + 0
Score:0
avatar Server
us flag
cutrightjm

127.0.0.53 needs to point at the IPA server itself; I am not too familiar with Ubuntu OSes, but I believe this is set in /etc/netplan/*. Per the installation docs, your primary DNS server should be 127.0.0.1 and the secondary should be your second IPA server. After that's set, run sudo netplan apply.

You should have two IPA servers at a minimum so that they can reference each other and provide failover capabilities.

Take a look at Red Hat's guide on configuring DNS for IPA and see if that gives you a hand

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.