FreeIPA (IdM) integrated DNS server denies recursive query from client networks

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8.2 or later
  • Red Hat Identity Management (IdM) / FreeIPA
    • ipa-server-4.8.4 or later
    • ipa-server-dns-4.8.4 or later
    • bind-pkcs11

Issue

  • IPA clients from client network cannot resolve DNS records outside IPA domain

    [user@ipaclient] # dig @ipaserver1.ipa.example.com redhat.com 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2923                <=== status is REFUSED
<...>

  • Corresponding log message is recorded in /var/log/messages:

    ipaserver1 named-pkcs11[22529]: client @0x7f5cc80bfa80 192.168.12.34#36429 (redhat.com): query (cache) 'redhat.com/A/IN' denied

Resolution

  1. On each IPA DNS server, add below lines to /etc/named/ipa-options-ext.conf

    allow-recursion { trusted_network; };
allow-query-cache  { trusted_network; };

  2. Add client networks to trusted_network ACL, and then add the below section to /etc/named/ipa-ext.conf on ipa server:

    acl "trusted_network" {
 localnets;       <=== This line allows hosts in the same network to access
 localhost;       <=== This line allows the DNS sever itself to access
 192.168.12.0/24; <=== CIDR IP address
 <add trusted client networks here>;
};

  3. Restart named:

    # systemctl restart named-pkcs11

Root Cause

The default behavior of recursive query on IdM integrated DNS Server has changed since RHEL8.2.

  • The default DNS server (BIND) access control list for allow-recursion is set to localnets; localhosts; 1

  • On RHEL7 and RHEL8 up to 8.1, the system default is to allow recursive query from any host. allow-recursion option, which allows anyhost to perform recursive query, is included in named.conf template overriding DNS server default ACL.

    In /etc/named.conf, below lines are present:

    // Any host is permitted to issue recursive queries
allow-recursion { any; };

  • On RHEL8.22 or later, the allow-recursion option is removed3. The DNS server default (localnets; localhosts;) applies. Therefore, the server allows recursive query from hosts on the same subnet only.

  • /etc/named.conf is updated by ipa-server on upgrade and regularly after config changes. DNS servers upgraded to RHEL 8.2 from previous version will have the strengthened ACL applied, which denies recursive query from non-trusted networks.

  • IdM DNS server is not meant to be used as a general-purpose DNS server4. DNS server which allows recursive query could be targeted for DNS amplification attacks. Therefore, only trusted networks should be allowed to perform recursive query.

  1. What has changed in the behavior of "allow-recursion" and "allow-query-cache" ↩︎

  2. RHEA-2020:1640 - Product Enhancement Advisory ↩︎

  3. Bug 1798877 - IPA server installer should lock Bind9 recursion and allow to configure it ↩︎

  4. INSTALLING AN IDM SERVER: WITH INTEGRATED DNS, WITH AN EXTERNAL CA AS THE ROOT CA ↩︎

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments