FreeIPA: Make forwarding exceptions for specific DNS records

How-To: FreeIPA

7th December 2023

There might be times when you need a DNS record for your domain to be handled by a public DNS provider. One example is when you are using a reverse proxy with SSL offloading.

The Scenario

My client network is configured to use my internal DNS server that handles all records for bastuklubben.online. If the record is not locally defined, by default the DNS server will reply that it can’t find the resource you are looking for.

On the guest network or any external network however, it works, because there is a publicly available DNS entry from my DNS provider. To make internal clients use that record, a DNS forwarding zone has to be created.

Related Topic: Check here on how to setup Dynamic DNS on a pfSense firewall. (will be released 18th December).

DNS forwarding Zone configuration

Step 1: Configure NS records in your normal zone

First you need to define a NS record for your exceptions. Go to Network Services > DNS > DNS Zones > your.domain and click +Add.

• Record Name: the firt part of the DNS record, for example “nextcloud”

• Record Type: NS

• Hostname: The subdomain address of the public service

• Skip DNS check: True

Step 2: Configure forwarding zones

Go to Network Services > DNS > DNS Forwarding Zones and click +Add

• Zone name: The subdomain address of the public service

• Zone forwarders: Enter some public DNS servers. I use Quad9 in my example

• Forward Policy: Forward only

Verification

Clear the DNS cache on your client and try resolve the public service to see if it has been updated.

user@workstation:~$ resolvectl flush-caches
user@workstation:~$ nslookup nextcloud.bastuklubben.online
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   nextcloud.bastuklubben.online
Address: 85.167.132.179
Name:   nextcloud.bastuklubben.online
Address: 2001:4610:a:6::5fdd