Closed ikke-t closed 2 years ago
This was rather troublesome feature to get the DNS working for VPN clients. It required proper settings for laptop, OPNSense and IdM.
I didn't automate this :(. Here are the steps:
for both idms add to files: /etc/named/ipa-options-ext.conf
acl "trusted_network" {
10.254.253.0/24;
localnets;
localhost;
/etc/named/ipa-options-ext.conf
allow-query { "trusted_network"; };
allow-query-cache { "trusted_network"; };
allow-recursion { "trusted_network"; };
and restart the services:
ipactl restart
Now the IdM works for remote queries and allows forwarding. This is important to find the vmware etc. which are known by arrow dns server.
Done in
On F35, I changed to use systemd.resolved
You can tell resolved to use different DNS for different domains: /etc/systemd/resolved.conf
DNS=10.128.1.10#cool.lab 10.128.1.10#app.ocpmgt.cool.lab 10.128.1.10#ocpmgt.cool.lab
DNS=10.1.102.5#arrowdemo.se
and restart resolved:
sudo systemctl restart systemd-resolved
and make name resolution to point to resolved by changing the /etc/nsswitch.conf
# hosts: files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
hosts: resolve [!UNAVAIL=return] files myhostname mdns4_minimal [NOTFOUND=return] dns
and fix /etc/resolv.conf
sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Now when you take VPN to cool-lab, it should resolve fine all addresses. Also without resolved, as it should point and forward all queries through IdM.
IdM doesn't allow DNS queries forwarding for VPN clients, which makes it hard to connect to lab. Loosen the DNS config to allow VPN queries.