Product SiteDocumentation Site

Chapter 9. Identity: Managing DNS

9.1. About DNS in FreeIPA
9.2. The FreeIPA-Generated DNS File
9.3. Setting up DNS After FreeIPA Server Installation
9.4. Managing DNS Zone Entries
9.4.1. Adding DNS Zones
9.4.2. Modifying DNS Zones
9.4.3. Enabling and Disabling Zones
9.5. Managing DNS Record Entries
9.5.1. Adding Records to DNS Zones
9.5.2. Deleting Records from DNS Zones
9.6. Configuring the bind-dyndb-ldap Plug-in
9.6.1. Changing the DNS Cache Setting
9.6.2. Enabling Zone Refreshes and Persistent Searches
9.7. Changing Recursive Queries Against Forwarders
9.8. Enabling Dynamic DNS Updates
9.8.1. Enabling Dynamic DNS Updates in the Web UI
9.8.2. Enabling Dynamic DNS Updates in the Command Line
9.9. Configuring Forwarders and Forward Policy
9.9.1. Configuring Global Forwarders
9.9.2. Configuring Zone Forwarders
9.9.3. Configuring Forwarder Policy for a Zone
9.10. Enabling Zone Transfers
9.11. Defining DNS Queries
9.12. Synchronizing Forward and Reverse Zone Entries
9.13. Setting DNS Access Policies
9.14. Resolving Hostnames in the FreeIPA Domain
9.15. Changing Load Balancing for FreeIPA Servers and Replicas
If the FreeIPA server was installed with DNS configured, then all of the DNS entries for the domain — host entries, locations, records — can be managed using the FreeIPA tools.

9.1. About DNS in FreeIPA

DNS is one of the services that can be configured and maintained by the FreeIPA domain. DNS is critical to the performance of the FreeIPA domain; DNS is used for the Kerberos services and SSL connections for all servers and clients and for connections to domain services like LDAP.
While FreeIPA can use an external DNS service, there is a lot more flexibility and control over FreeIPA — DNS interactions when the DNS service is configured within the domain. For example, DNS records and zones can be managed within the domain using FreeIPA tools, and clients can update their own DNS records dynamically. When a host is added to FreeIPA, a DNS record is automatically created in FreeIPA's DNS service for that host machine.
FreeIPA stores all DNS information as LDAP entries. Every resource record for each machine is stored for the domain. For example, the client1 resource has three IPv4 (A) records and one IPv6 (AAAA) record:
dn: idnsname=client1,,cn=dns,dc=example,dc=com
idnsname: client1
aaaarecord: fc00::1
objectclass: top
objectclass: idnsrecord
The schema used to define the DNS entries is in the /usr/share/ipa/60basev2.ldif schema file[3].
The BIND service communicates with the Directory Server using the system bind-dyndb-ldap plug-in. When FreeIPA is configured to manage DNS (Section 9.3, “Setting up DNS After FreeIPA Server Installation”), FreeIPA creates a dynamic-db configuration section in the /etc/named.conf file for the BIND service. This configures the bind-dyndb-ldap plug-in for the BIND (named) service.
When this plug-in is properly configured, it delivers the DNS records from the Directory Server to the named service. The configuration can be changed to adapt the behavior of the plug-in and, therefore, the LDAP-BIND interactions.

[3] Any updated schema files, included updated DNS schema elements, are located in the /usr/share/ipa/updates directory.