Pi-hole forwarder for FreeIPA

Help
1

Expected Behaviour:

When installing FreeIPA, I set Pi-hole as a DNS forwarder for it. From discussions with people in the FreeIPA IRC it tries to read the SOA record of the DNS forwarder. I think that all DNS servers should have an SOA record.

Actual Behaviour:

FreeIPA tries to find an SOA record on the configured DNS forwarder (Pi-hole) but it fails and consequently fails the installation.

Checking DNS forwarders, please wait ...
DNS server 192.168.10.2: query '. SOA': The DNS response does not contain an answer to the question: . IN SOA
DNS server 192.168.10.2: query '. SOA': The DNS response does not contain an answer to the question: . IN SOA
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Running dig command with more details

[root@freeipaserver rocky]# dig . soa @192.168.10.2
 
; <<>> DiG 9.16.23-RH <<>> . soa @192.168.10.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13369
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;.                              IN      SOA
 
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sat Jan 20 22:09:52 EET 2024
;; MSG SIZE  rcvd: 28

Debug Token:

https://tricorder.pi-hole.net/NuIlCPnI/

A visual of my intended setup:
FreeIPA -> Pi-Hole -> Unbound

One obvious workaround is to add a dummy SOA record to "silence" the FreeIPA check but I am not sure whether this is possible.
Another option is to bypass Pi-hole completely for the FreeIPA host.
I guess I could also change the setup to
Pi-hole -> FreeIPA -> Unbound which could work.

2

Servers do not have SOA records, zones do. What ever domain you are trying to use needs to have the proper authoritative records set up.

3

Thanks for the info.
My FreeIPA or DNS knowledge is limited unfortunately so I will just regurgitate whatever basic things I have understood so far.
It is quite common to use a random/invented/non-public domain for FreeIPA since this is only intended (at least in my case) to be used locally.
If I set the FreeIPA forwarder to Unbound DNS directly it works without having to configure any zone for the domain.
That begs the question, why does it work with Unbound without any zone configuration?
How can I set up a zone with authoritative records in Pi-hole?
The FreeIPA dev seems to think that it is some kind of Pi-hole problem. If a SOA record exists upstream, shouldn't Pi-hole forward that request there?
An example of a couple of tests [root@ipasrv rocky]# dig @192.168.10.2 . IN SOA; <<>> DiG 9.16.23-RH <<>> @1 - Pastebin.com
192.168.10.2 is Pihole and 192.168.10.20 is Unbound

4

Because that's how you have configured your Pi-hole.

Your FreeIPA's check as well as your dig is for the SOA record of "." (the root zone).

Your debug log shows that you've instructed your Pi-hole to block ".":

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
 id     type  enabled  group_ids  domain    date_added           date_modified        comment
 -----  ----  -------  ---------  --------  -------------------  -------------------  --------------------
 23      1          1  0          .         2023-11-17 17:19:04  2023-11-17 17:19:04  Added from Query Log

If you remove that entry from your Pi-hole's blocked Domains, your dig will succeed again, and so should FreeIPA's check.

2 Likes
5

Excellent, thank you very much for your time.
I must have added it by mistake at some point and forgot to check.

6

No.
The debug log shows it has been manually added by user interaction from the Query Log screen.

1 Like
9

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.