RH362 - ch05s03

Bookmark this page

Managing the Integrated DNS Service

Objectives

Manage the integrated DNS service configuration, zones, and locations.

Integrated DNS Server Configuration

You can install an IdM server with an integrated DNS service. Such a deployment offers a significant level of flexibility and control over DNS settings. For example, IdM clients can update their own DNS SRV records or resource records dynamically. A DNS SRV record identifies a service running on a port within a server.

You can manage DNS entries using native IdM tools. Most configuration options applicable to BIND version 9.9 are also applicable to IdM DNS.

IdM integrates BIND 9.9 DNS name server software with an LDAP directory (which it uses to store records and replicate data) and Kerberos (for DNS update signing). This type of integration enables convenient DNS management using IdM tools, and at the same time increases the availability and security of the environment.

Note

If you ran the ipa-server-install command without DNS configuration, then you can still run the ipa-dns-install command to configure DNS.

If the IdM DNS server is accessible from the internet, Red Hat recommends hardening the BIND service as described in the Red Hat Enterprise Linux Networking Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/networking_guide/.

Note

The default IdM DNS configuration is suitable for internal networks.

The integrated BIND server uses the bind-dyndb-ldap plug-in to communicate with the integrated LDAP directory provided by Red Hat Directory Server. In the /etc/named.conf BIND configuration file, IdM creates a dynamic-db section, which configures the plug-in for the BIND service:

[user@host ~]$ sudo cat /etc/named.conf
...output omitted...
dyndb "ipa" "/usr/lib64/bind/ldap.so" {
    uri "ldapi://%2fvar%2frun%2fslapd-LAB-EXAMPLE-COM.socket";
    base "cn=dns,dc=lab,dc=example,dc=com";
    server_id "idm.lab.example.com";
    auth_method "sasl";
    sasl_mech "EXTERNAL";
};
...output omitted...

IdM stores all DNS information as LDAP entries. Every record is stored as an LDAP attribute of an LDAP entry. The following is an example of such an LDAP record:

 dn: idnsname=demo,idnsname=example.com.,cn=dns,dc=idm,dc=example,dc=com

 objectclass: top
 objectclass: idnsrecord
 idnsname: demo
 Arecord: 192.168.1.1
 AAAArecord: 2001:DB8::ABCD

Required IdM DNS Records

IdM with integrated DNS dynamically updates its own DNS records after any change. You can also use the ipa dns-update-system-records command to make those changes. You can use the --dry-run option to list all DNS records. This command is useful for reviewing the current configuration or for exporting it to an external DNS server.

The following output shows a real example of required DNS records for an IdM server without any additional replicas:

[user@host ~]$ ipa dns-update-system-records --dry-run
...output omitted...
_kerberos-master._tcp.example.com. 3600 IN SRV 0 100 88 server.example.com.
_kerberos-master._tcp.example.com. 3600 IN SRV 0 100 88 replica1.example.com.
_kerberos-master._tcp.example.com. 3600 IN SRV 0 100 88 replica2.example.com.
_kerberos-master._udp.example.com. 3600 IN SRV 0 100 88 server.example.com.
_kerberos-master._udp.example.com. 3600 IN SRV 0 100 88 replica1.example.com.
_kerberos-master._udp.example.com. 3600 IN SRV 0 100 88 replica2.example.com.
_kerberos._tcp.example.com. 3600 IN SRV 0 100 88 server.example.com.
_kerberos._tcp.example.com. 3600 IN SRV 0 100 88 replica1.example.com.
_kerberos._tcp.example.com. 3600 IN SRV 0 100 88 replica2.example.com.
_kerberos._udp.example.com. 3600 IN SRV 0 100 88 server.example.com.
_kerberos._udp.example.com. 3600 IN SRV 0 100 88 replica1.example.com.
_kerberos._udp.example.com. 3600 IN SRV 0 100 88 replica2.example.com.
_kerberos.example.com. 3600 IN TXT "EXAMPLE.COM"
_kerberos.example.com. 3600 IN URI 0 100 "krb5srv:m:tcp:server.example.com."
_kerberos.example.com. 3600 IN URI 0 100 "krb5srv:m:tcp:replica1.example.com."
_kerberos.example.com. 3600 IN URI 0 100 "krb5srv:m:tcp:replica2.example.com."
_kerberos.example.com. 3600 IN URI 0 100 "krb5srv:m:udp:server.example.com."
_kerberos.example.com. 3600 IN URI 0 100 "krb5srv:m:udp:replica1.example.com."
_kerberos.example.com. 3600 IN URI 0 100 "krb5srv:m:udp:replica2.example.com."
_kpasswd._tcp.example.com. 3600 IN SRV 0 100 464 server.example.com.
_kpasswd._tcp.example.com. 3600 IN SRV 0 100 464 replica1.example.com.
_kpasswd._tcp.example.com. 3600 IN SRV 0 100 464 replica2.example.com.
_kpasswd._udp.example.com. 3600 IN SRV 0 100 464 server.example.com.
_kpasswd._udp.example.com. 3600 IN SRV 0 100 464 replica1.example.com.
_kpasswd._udp.example.com. 3600 IN SRV 0 100 464 replica2.example.com.
_kpasswd.example.com. 3600 IN URI 0 100 "krb5srv:m:tcp:server.example.com."
_kpasswd.example.com. 3600 IN URI 0 100 "krb5srv:m:tcp:replica1.example.com."
_kpasswd.example.com. 3600 IN URI 0 100 "krb5srv:m:tcp:replica2.example.com."
_kpasswd.example.com. 3600 IN URI 0 100 "krb5srv:m:udp:server.example.com."
_kpasswd.example.com. 3600 IN URI 0 100 "krb5srv:m:udp:replica1.example.com."
_kpasswd.example.com. 3600 IN URI 0 100 "krb5srv:m:udp:replica2.example.com."
_ldap._tcp.example.com. 3600 IN SRV 0 100 389 server.example.com.
_ldap._tcp.example.com. 3600 IN SRV 0 100 389 replica1.example.com.
_ldap._tcp.example.com. 3600 IN SRV 0 100 389 replica2.example.com.
ipa-ca.example.com. 3600 IN A 172.25.250.8

DNS Zone Types

IdM supports two DNS zone types: primary zones and forward zones. The primary DNS zone contains authoritative DNS data and accepts dynamic DNS updates. You can manage them with the ipa dnszone-* commands.

IdM generates all required Start of Authority (SOA) and Name Server (NS) records for every primary zone automatically when they are created. To create a delegation, you must manually copy the NS records to the parent zone.

All queries for names belonging to zones that do not contain any authoritative data are forwarded to a specified forwarder. You can manage forward zones using the ipa dnsforwardzone-* commands.

Managing DNS Zones

You can manage DNS using the web UI or the CLI.

Adding a Primary DNS Zone Using the Web UI

To add a new primary DNS zone using the web UI, log in to the web UI, navigate to the Network Services tab, and then choose DNS → DNS Zones.

Figure 5.1: Managing DNS zones

To add a new primary zone, click Add, and in the Add DNS Zone dialog box, enter the zone name and click Add.

Figure 5.2: Adding a primary DNS zone

Adding a Primary DNS Zone Using the Command Line

To add a new primary DNS zone using the command-line interface, use the ipa dnszone-add command. When adding a new zone, you must specify the zone name. You can pass the domain or subdomain name directly with the following command:

[user@host ~]$ ipa dnszone-add new.domain.com

The script prompts for the domain name automatically when the name has not been specified.

Removing the Primary DNS Zone

To remove an existing primary DNS zone using the web UI, navigate to the Network Services tab and choose DNS → DNS Zones. From the list of zones, select the checkbox next to the name of the zone you want to remove and click Delete.

Figure 5.3: Choosing a primary DNS zone

In the Remove DNS Zones dialog box, click Delete.

Figure 5.4: Removing a primary DNS zone

To remove a primary DNS zone using the command line, use the ipa dnszone-del command:

[user@host ~]$ ipa dnszone-del zone.example.com

Additional Configuration for Primary DNS Zones

When deployed, IdM creates a DNS zone with a default configuration that defines attributes such as the refresh periods, transfer settings, and cache settings.

Editing the Zone Configuration Using the Web UI

To edit the zone configuration from the web UI, navigate to the Network Services tab, choose DNS → DNS Zones, and then click the zone name in the list of zones.

Figure 5.5: Editing primary DNS zones

Make your changes and then click Save.

Editing the Zone Configuration Using the Command Line

You can modify an existing primary DNS zone from the command line with the ipa dnszone-mod command. If an attribute does not exist, the ipa dnszone-mod command adds the attribute. Otherwise, the command overwrites the current value with the new value.

The following example demonstrates how to enable dynamic updates for a zone:

[user@host ~]$ ipa dnszone-mod demo.domain.com --dynamic-update=TRUE

Adding Records to a DNS Zone

The IdM internal DNS supports many different record types. The following record types are the most often used:

A records: These records map hostnames to IPv4 addresses. The name of an A record is a hostname (for example: www or ftp). The IP Address value of this record is a standard IPv4 address.
PTR records: These records are used in reverse DNS zones to map IP addresses to domain names.
SRV records: These records map service names to the name of the server that is providing the service. When you deploy an IdM server with integrated DNS, this record is automatically created to map the LDAP directory service to the server that manages it. The record can include options such as priority, weight, port number, and hostname for the target service. The record name uses the _service._protocol.domain-name format. For example, _ldap._tcp.lab.example.com is an example of such a record where ldap is the service, and tcp is the protocol for the lab.example.com domain.

Adding DNS Records Using the Web UI

Different DNS records require different data. Consequently, the web UI is probably the better choice when adding new records to your DNS zones. In the web UI, the fields for adding a new record are updated automatically to reflect what data is required for the selected type of record to add.

Navigate to the Network Services tab, and then choose DNS → DNS Zones. Click the appropriate zone name in the list of zones. On the DNS Resource Records tab, click Add.

In the Add DNS Resource Record dialog box, select the appropriate record type, complete the required fields, and then click Add.

Figure 5.6: Adding a DNS record

Adding DNS Records Using the Command Line

To add a DNS record from the command line, use the ipa dnsrecord-add command. The command uses the following syntax:

[user@host ~]$ ipa dnsrecord-add new.domain.com record_name \
  --record_type_option=data

The following example demonstrates how to create an A type record for the www.demo.example.com host:

[user@host ~]$ ipa dnsrecord-add demo.example.com www --a-rec 192.168.1.11

For more details on how to use the ipa dnsrecord-add command, run the ipa dnsrecord-add --help command.

Deleting Records from DNS Zones

You can use either the web UI or the command line to delete records from DNS zones. This section illustrates both approaches.

Deleting Records Using the Web UI

To delete records from DNS zones using the web UI, navigate to the Network Services tab. Navigate to DNS → DNS Zones and click the appropriate zone name in the list of zones. On the DNS Resource Records tab, select the name of the record to delete, and then click Delete. Click Delete in the confirmation dialog box.

Figure 5.7: Deleting a DNS record

Deleting Records Using the Command Line

To delete records from DNS zones using the command line, use the ipa dnsrecord-del command. The following example shows how to remove an A record:

[user@host ~]$ ipa dnsrecord-del demo.example.com ftp --a-rec 192.168.1.11

When used without any options, the ipa dnsrecord-del command prompts for information about the record to delete.

Managing Dynamic DNS Updates

By default, dynamic updates are disabled in IdM. When registering new hosts in IdM, the ipa-client-install command cannot add a DNS record pointing to the new host.

Dynamic DNS updates pose a security risk if poorly implemented, for example allowing a rogue host to impersonate a valid one. However, if it is acceptable in your environment, they make client installations easier. To enable dynamic updates in your environment, you must change the following settings:

The DNS zone must allow dynamic updates.
The local clients must be able to send dynamic updates.

Enabling Dynamic DNS Updates Using the Web UI

In the web UI, navigate to the Network Services tab, and then choose DNS → DNS Zones. Click the appropriate zone name in the list of zones. On the Settings tab, select Dynamic update, and then click Save at the top of the page.

Figure 5.8: Managing DNS zones

Enabling Dynamic DNS Updates Using the Command Line

To enable dynamic DNS updates from the command line, use the ipa dnszone-mod command with the --dynamic-update=TRUE option:

[user@host ~]$ ipa dnszone-mod new.domain.com --dynamic-update=TRUE

When enrolling new clients in the domain, use the --enable-dns-updates option to set up the DNS dynamic updates automatically:

[root@host ~]# ipa-client-install --enable-dns-updates

References

Further information is available in the Working with DNS in Identity Management guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/working_with_dns_in_identity_management/index

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8