[Infrastructure]: Fix internal/external use of DNS

No Milestone

No project

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: infrastructure/meta#58

label commented

2024-03-22 21:31:41 +00:00

Owner

Checklist

Each IPA server should be configured based on their location

Per-zone conditional forwarding (as forward or delegated) for specific domains
Per-server conditional forwarding (ORD to forward to 1.1.1.1, 1.0.0.1, 169.254.169.253 and recurse)
Per-server conditional forwarding (IAD will only recurse approved domains)
Separate bind/equivalent service that acts as an NS for each internal domain[1]
Utilize internal repositories that already have A records
Utilize mirror manager to handle private mirrors (ORD) - This sort of works now. http002 is the only one that appears, which is probably fine.
Utilize mirror manager to handle private mirrors (IAD) (neil)
Systems should have one of or all IPA nodes in their DC listed as nameservers first before opnsense or pfsense

Checklist (immediate needs)

dl.rl.o and mirrors.rl.o internal names situated -> They should point to internal addresses
Open 80/443 on the SG's for mirrors.rl.o to facilitate the above
Open 80/443 on the SG's for dl.rl.o (if necessary; repopool servers already have this open)
Change ORD systems to use IPA servers as primaries before opnsense/pfsense

Checklist (public)

Verify existing DNS entries
Policy to track DNS entries from requests (e.g. regular checks)

Footnotes

[1] pfsense and opnsense don't support this directly. with that said, ensuring some other standalone DNS internally is a slave of all internal domains would ensure that records are still resolvable if services point to both IPA and this internal service, assuming IPA's DNS disappears for some reason.

## Checklist Each IPA server should be configured based on their location * [ ] Per-zone conditional forwarding (as forward or delegated) for specific domains * [ ] Per-server conditional forwarding (ORD to forward to 1.1.1.1, 1.0.0.1, 169.254.169.253 and recurse) * [ ] Per-server conditional forwarding (IAD will only recurse approved domains) * [ ] Separate bind/equivalent service that acts as an NS for each internal domain[1] * [ ] Utilize internal repositories that already have A records * [X] Utilize mirror manager to handle private mirrors (ORD) - This sort of works now. http002 is the only one that appears, which is probably fine. * [ ] Utilize mirror manager to handle private mirrors (IAD) (neil) * [ ] Systems should have one of or all IPA nodes in their DC listed as nameservers first before opnsense or pfsense ## Checklist (immediate needs) * [ ] dl.rl.o and mirrors.rl.o internal names situated -> They should point to internal addresses * [ ] Open 80/443 on the SG's for mirrors.rl.o to facilitate the above * [ ] Open 80/443 on the SG's for dl.rl.o (if necessary; repopool servers already have this open) * [ ] Change ORD systems to use IPA servers as primaries before opnsense/pfsense ## Checklist (public) * [ ] Verify existing DNS entries * [ ] Policy to track DNS entries from requests (e.g. regular checks) ## Footnotes [1] pfsense and opnsense don't support this directly. with that said, ensuring some other standalone DNS internally is a slave of all internal domains would ensure that records are still resolvable if services point to both IPA and this internal service, assuming IPA's DNS disappears for some reason.

label added the

task

label 2024-03-22 21:31:41 +00:00

gain

high

component/idm

labels 2024-03-22 22:45:01 +00:00

priority

label 2024-03-22 23:31:51 +00:00

label added this to the RESF Infrastructure Identity Management project 2024-03-24 01:23:47 +00:00