Raymii.org
Quis custodiet ipsos custodes?Home | About | All pages | Cluster Status | RSS Feed
FreeIPA DNS workaround for DNS zone [...]. already exists in DNS and is handled by server(s):
Published: 10-04-2018 | Author: Remy van Elst | Text only version of this article
❗ This post is over six years old. It may no longer be up to date. Opinions may have changed.
Recently I ran into an issue with FreeIPA when trying to add an existing DNS zone. The zone already exists on the internet so, logically, FreeIPA wouldn't allow me to hijack this domain locally. My usecase is special, so I wanted to forcefully add this zone as a forward zone.
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:
I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!
Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!
In the web UI of FreeIPA when trying to add this existing zone, the following error appears:
DNS zone example.org. already exists in DNS and is handled by server(s): ns1.kpn.com, ns2.kpn.com
This is a logical error since hijacking a domain like this is a bad idea, features like DNSSEC will bite you.
My setup however was different. In this setup, domain sub.example.org
was
delegated to this environment, but via some tunneling constructions VPSes in
this environment would be able to connect internally to the example.org
domain. So, I want the FreeIPA system that is also the DNS resolver, to forward
queries for example.org
to the local internal nameserver in the example.org
domain, and not resolving them externally.
FreeIPA wouldn't let me do that via the GUI. Which is IMHO the good option,
since you are doing something that normally will break stuff. Using the
commandline we can skip this overlap check with the --skip-overlap-check
flag:
ipa dnsforwardzone-add --skip-overlap-check example.org --forwarder=192.0.2.10 --forwarder=198.51.100.10 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
Zone name: example.org.
Active zone: TRUE
Zone forwarders: 192.0.2.10, 198.51.100.10
Forward policy: only
If you do not want to add a forward zone, you can also use this flag to add a regular zone:
ipa dnszone-add --skip-overlap-check example.org --forwarder=192.0.2.10 --forwarder=198.51.100.10 --forward-policy=only
Tags: bind
, dns
, freeipa
, network
, snippets
, traceroute