33.6. Managing DNS Forwarding

DNS forwarding affects how DNS queries are answered. By default, the BIND service integrated with IdM is configured to act as both an authoritative and recursive DNS server.
When a DNS client queries a name belonging to a DNS zone for which the IdM server is authoritative, BIND replies with data contained in the configured zone. Authoritative data always takes precedence over any other data.
When a DNS client queries a name for which the IdM server is not authoritative, BIND attempts to resolve the query using other DNS servers. If no forwarders are defined, BIND asks the root servers on the Internet and uses recursive resolution algorithm to answer the DNS query.
In some cases, it is not desirable to let BIND contact other DNS servers directly and perform the recursion based on data available on the Internet. These cases include:
  • Split DNS configuration, also known as DNS views configuration, where DNS servers return different answers to different clients. Split DNS configuration is typical for environments where some DNS names are available inside the company network, but not from the outside.
  • Configurations where a firewall restricts access to DNS on the Internet.
  • Configurations with centralized filtering or logging on the DNS level.
  • Configurations with forwarding to a local DNS cache, which helps optimize network traffic.
In such configurations, BIND does not use full recursion on the public Internet. Instead, it uses another DNS server, a so-called forwarder, to resolve the query. When BIND is configured to use a forwarder, queries and answers are forwarded back and forth between the IdM server and the forwarder, and the IdM server acts as the DNS cache for non-authoritative data.

Forward Policies

IdM supports the first and only standard BIND forward policies, as well as the none IdM-specific forward policy.
Forward first (default)
DNS queries are forwarded to the configured forwarder. If a query fails because of a server error or timeout, BIND falls back to the recursive resolution using servers on the Internet. The forward first policy is the default policy. It is suitable for traffic optimization.
Forward only
DNS queries are forwarded to the configured forwarder. If a query fails because of a server error or timeout, BIND returns an error to the client. The forward only policy is recommended for environments with split DNS configuration.
None: Forwarding disabled
DNS queries are not forwarded. Disabling forwarding is only useful as a zone-specific override for global forwarding configuration. This options is the IdM equivalent of specifying an empty list of forwarders in BIND configuration.

Forwarding Does Not Combine Data from IdM and Other DNS Servers

Forwarding cannot be used to combine data in IdM with data from other DNS servers. You can only forward queries for specific subzones of the master zone in IdM DNS: see the section called “Zone Delegation in IdM DNS Master Zone”.
By default, the BIND service does not forward queries to another server if the queried DNS name belongs to a zone for which the IdM server is authoritative. In such a situation, if the queried DNS name cannot be found in the IdM database, the NXDOMAIN answer is returned. Forwarding is not used.

Example 33.9. Example Scenario

The IdM server is authoritative for the test.example. DNS zone. BIND is configured to forward queries to the DNS server with the 192.0.2.254 IP address.
When a client sends a query for the nonexistent.test.example. DNS name, BIND detects that the IdM server is authoritative for the test.example. zone and does not forward the query to the 192.0.2.254. server. As a result, the DNS client receives the NXDomain answer, informing the user that the queried domain does not exist.
Zone Delegation in IdM DNS Master Zone
It is possible to forward queries for specific subzones of a master zone in IdM DNS. For example, if the IdM DNS handles the zone idm.example.com, you can delegate the authority for the sub_zone1.idm.example.com subzone to a different DNS server. To achieve this behavior, you need to use forwarding, as described above, along with a nameserver record which delegates the subzone to a different DNS server. In the following example, sub_zone1 is the subzone, and 192.0.2.1 is the IP address of the DNS server the subzone is delegated to:
$ ipa dnsrecord-add idm.example.com. sub_zone1 --ns-rec=192.0.2.1
Adding the forward zone then looks like this:
$ ipa dnsforwardzone-add  sub_zone1.idm.example.com. --forwarder 192.0.2.1

33.6.1. Configuring Global Forwarders

Global forwarders are DNS servers used for resolving all DNS queries for which an IdM server is not authoritative, as described in Section 33.6, “Managing DNS Forwarding”.
The administrator can configure IP addresses and forward policies for global forwarding in the following two ways:
Using the ipa dnsconfig-mod command or the IdM web UI
Configuration set using these native IdM tools is immediately applied to all IdM DNS servers. As explained in Section 33.3, “DNS Configuration Priorities”, global DNS configuration has higher priority than local configuration defined in the /etc/named.conf files.
By editing the /etc/named.conf file
Manually editing the /etc/named.conf on every IdM DNS server allows using a different global forwarder and policy on each of the servers. Note that the BIND service must be restarted after changing /etc/named.conf.

Configuring Forwarders in the Web UI

To define the DNS global configuration in the IdM web UI:
  1. Click the Network Services tab, and select the DNS subtab, followed by the DNS Global Configuration section.
  2. To add a new global forwarder, click Add and enter the IP address. To define a new forward policy, select it from the list of available policies.
    Editing Global DNS Configuration in the Web UI

    Figure 33.28. Editing Global DNS Configuration in the Web UI

  3. Click Save to confirm the new configuration.

Configuring Forwarders from the Command Line

To set a global list of forwarders from the command line, use the ipa dnsconfig-mod command. It edits the DNS global configuration by editing the LDAP data. The ipa dnsconfig-mod command and its options affect all IdM DNS servers at once and override any local configuration.
For example, to edit the list of global forwarders using ipa dnsconfig-mod:
[user@server ~]$ ipa dnsconfig-mod --forwarder=192.0.2.254
  Global forwarders: 192.0.2.254

33.6.2. Configuring Forward Zones

Forward zones do not contain any authoritative data and instruct the name server to only forward queries for names belonging into a particular zone to a configured forwarder.

Important

Do not use forward zones unless absolutely required. Limit their use to overriding global forwarding configuration. In most cases, it is sufficient to only configure global forwarding, described in Section 33.6.1, “Configuring Global Forwarders”, and forward zones are not necessary.
Forward zones are a non-standard solution, and using them can lead to unexpected and problematic behavior. When creating a new DNS zone, Red Hat recommends to always use standard DNS delegation using NS records and to avoid forward zones.
For information on the supported forward policies, see the section called “Forward Policies”.
For further information about the BIND service, see the Red Hat Enterprise Linux Networking Guide, the BIND 9 Administrator Reference Manual included in the /usr/share/doc/bind-version_number/ directory, or external sources [5] .

Configuring Forward Zones in the Web UI

To manage forward zones in the web UI, click the Network Services tab, and select the DNS subtab, followed by the DNS Forward Zones section.
Managing DNS Forward Zones

Figure 33.29. Managing DNS Forward Zones

In the DNS Forward Zones section, the administrator can handle all required operations regarding forward zones: show current list of forward zones, add a new forward zone, delete a forward zone, display a forward zone, allow to modify forwarders and forward policy per a forward zone, and disable or enable a forward zone.

Configuring Forward Zones from the Command Line

To manage forward zones from the command line, use the ipa dnsforwardzone-* commands described below.

Note

The ipa dnsforwardzone-* commands behave consistently with the ipa dnszone-* commands used to manage master zones.
The ipa dnsforwardzone-* commands accept several options; notably, the --forwarder, --forward-policy, and --name-from-ip options. For detailed information about the available options, see Table 33.1, “Zone Attributes” or run the commands with the --help option added, for example:
ipa dnsforwardzone-add --help
Adding Forward Zones
Use the dnsforwardzone-add command to add a new forward zone. It is required to specify at least one forwarder if the forward policy is not set to none.
[user@server ~]$ ipa dnsforwardzone-add zone.test. --forwarder=172.16.0.1 --forwarder=172.16.0.2 --forward-policy=first

Zone name: zone.test.
Zone forwarders: 172.16.0.1, 172.16.0.2
Forward policy: first
Modifying Forward Zones
Use the dnsforwardzone-mod command to modify a forward zone. It is required to specify at least one forwarder if the forward policy is not none. Modifications can be performed in several ways.
[user@server ~]$ ipa dnsforwardzone-mod zone.test. --forwarder=172.16.0.3

Zone name: zone.test.
Zone forwarders: 172.16.0.3
Forward policy: first
[user@server ~]$ ipa dnsforwardzone-mod zone.test. --forward-policy=only

Zone name: zone.test.
Zone forwarders: 172.16.0.3
Forward policy: only
Showing Forward Zones
Use the dnsforwardzone-show command to display information about a specified forward zone.
[user@server ~]$ ipa dnsforwardzone-show zone.test.

Zone name: zone.test.
Zone forwarders: 172.16.0.5
Forward policy: first
Finding Forward Zones
Use the dnsforwardzone-find command to locate a specified forward zone.
[user@server ~]$ ipa dnsforwardzone-find zone.test.

Zone name: zone.test.
Zone forwarders: 172.16.0.3
Forward policy: first
----------------------------
Number of entries returned 1
----------------------------
Deleting Forward Zones
Use the dnsforwardzone-del command to delete specified forward zones.
[user@server ~]$ ipa dnsforwardzone-del zone.test.

----------------------------
Deleted forward DNS zone "zone.test."
----------------------------
Enabling and Disabling Forward Zones
Use dnsforwardzone-enable and dnsforwardzone-disable commands to enable and disable forward zones. Note that forward zones are enabled by default.
[user@server ~]$ ipa dnsforwardzone-enable zone.test.

----------------------------
Enabled forward DNS zone "zone.test."
----------------------------
[user@server ~]$ ipa dnsforwardzone-disable zone.test.

----------------------------
Disabled forward DNS zone "zone.test."
----------------------------
Adding and Removing Permissions
Use dnsforwardzone-add-permission and dnsforwardzone-remove-permission commands to add or remove system permissions.
[user@server ~]$ ipa dnsforwardzone-add-permission zone.test.

---------------------------------------------------------
Added system permission "Manage DNS zone zone.test."
---------------------------------------------------------
  Manage DNS zone zone.test.
[user@server ~]$ ipa dnsforwardzone-remove-permission zone.test.

---------------------------------------------------------
Removed system permission "Manage DNS zone zone.test."
---------------------------------------------------------
  Manage DNS zone zone.test.


[5] For more information, see the BIND 9 Configuration Reference.