Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

FreeIPA DNS workaround for DNS zone [...]. already exists in DNS and is handled by server(s):

Published: 10-04-2018 | Author: Remy van Elst | Text only version of this article


Table of Contents


Recently I ran into an issue with FreeIPA when trying to add an existing DNSzone. The zone already exists on the internet so, logically, FreeIPA wouldn'tallow me to hijack this domain locally. My usecase is special, so I wanted toforcefully add this zone as a forward zone.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

In the web UI of FreeIPA when trying to add this existing zone, the followingerror appears:

DNS zone example.org. already exists in DNS and is handled by server(s): ns1.kpn.com, ns2.kpn.com

This is a logical error since hijacking a domain like this is a bad idea,features like DNSSEC will bite you.

My setup however was different. In this setup, domain sub.example.org wasdelegated to this environment, but via some tunneling constructions VPSes inthis environment would be able to connect internally to the example.orgdomain. So, I want the FreeIPA system that is also the DNS resolver, to forwardqueries for example.org to the local internal nameserver in the example.orgdomain, and not resolving them externally.

FreeIPA wouldn't let me do that via the GUI. Which is IMHO the good option,since you are doing something that normally will break stuff. Using thecommandline we can skip this overlap check with the --skip-overlap-check flag:

 ipa dnsforwardzone-add  --skip-overlap-check example.org --forwarder=192.0.2.10 --forwarder=198.51.100.10 --forward-policy=onlyServer will check DNS forwarder(s).This may take some time, please wait ...  Zone name: example.org.  Active zone: TRUE  Zone forwarders: 192.0.2.10, 198.51.100.10  Forward policy: only

If you do not want to add a forward zone, you can also use this flag to add aregular zone:

ipa dnszone-add --skip-overlap-check example.org --forwarder=192.0.2.10 --forwarder=198.51.100.10 --forward-policy=only
Tags: bind, dns, freeipa, network, snippets, traceroute