FreeIPA (IdM) integrated DNS server denies recursive query from client networks

Solution Verified - Updated -

Issue

  • IPA clients from client network cannot resolve DNS records outside IPA domain

    [user@ipaclient] # dig @ipaserver1.ipa.example.com redhat.com 
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2923                <=== status is REFUSED
    <...>
    
  • Corresponding log message is recorded in /var/log/messages:

    ipaserver1 named-pkcs11[22529]: client @0x7f5cc80bfa80 192.168.12.34#36429 (redhat.com): query (cache) 'redhat.com/A/IN' denied
    

Environment

  • Red Hat Enterprise Linux 8.2 or later
  • Red Hat Identity Management (IdM) / FreeIPA
    • ipa-server-4.8.4 or later
    • ipa-server-dns-4.8.4 or later
    • bind-pkcs11

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In