Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Chapter 29. Securing DNS with DoT in IdM

You can secure DNS traffic in Identity Management (IdM) deployments by enabling encrypted DNS (eDNS) that uses DNS-over-TLS (DoT). You can encrypt all DNS queries and responses between DNS clients and IdM DNS servers.

Important

Encrypted DNS in IdM is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

29.1. Encrypted DNS in IdM

Encrypted DNS (eDNS), using DNS over TLS (DoT), encrypts all DNS queries and responses between IdM DNS clients and servers. IdM configures the unbound service as a local caching resolver on clients and uses the BIND service to receive DoT requests on servers.

By default, IdM uses the relaxed DNS policy, which allows fallback to unencrypted DNS if DoT is unavailable. When using the relaxed policy, IdM clients and replicas automatically detect DoT-capable DNS servers during installation.

For encrypted-only communication, you can configure the --dns-policy enforced option. This setting strictly requires DoT for all DNS resolution and rejects any unencrypted requests. Before installation, you must manually preconfigure both client and replica systems to trust the IdM server’s DoT certificate and use it for eDNS resolution.

IdM provides an optional integrated DNS server. When you use the integrated DNS server, IdM automatically manages SRV and other service records as you modify the topology. If you require advanced features such as DNS views, you can manage your DNS records manually on an external DNS server. The integrated IdM DNS is not a general-purpose DNS solution.

When setting up eDNS for your IdM servers, replicas, and clients, you can either use the IdM Certificate Authority (CA) service for certificate management or provide your own certificates. If you don’t provide a certificate, IdM CA automatically generates and assigns TLS certificates for the DNS service.

29.2. Installing an IdM server configured to use eDNS

You can install an IdM server with DoT enabled by performing a non-interactive installation using the ipa-server-install utility. This procedure describes how to configure DoT with the enforced policy using the integrated DNS service. If you require the relaxed policy instead, you can skip the steps for pre-configuring clients and replicas for DoT exclusively, as the IdM server automatically discovers them.

You can use a certificate issued by the integrated IdM Certificate Authority (CA) or provide a custom certificate issued by an external CA. If you do not provide a certificate, the IdM CA automatically issues a DoT certificate during the installation.

Prerequisites

  • Review the steps outlined in Preparing the system for IdM server installation.
  • For enforced DoT, complete the steps in Configuring client and replica systems to use DoT exclusively.

  • Ensure the following packages are installed:

    • ipa-server
    • ipa-server-dns
    • ipa-server-encrypted-dns

    • ipa-client-encrypted-dns

      Important

      The ipa-server-encrypted-dns package requires a newer version of the bind-utils package than the version installed by default on RHEL. Run sudo dnf install ipa-server ipa-server-encrypted-dns --allowerasing to allow the package manager to remove the older bind-utils package and install the version required by ipa-server-encrypted-dns.

Procedure

  1. Add the dns-over-tls service to the system firewall to open port 853/TCP for DoT traffic: 

    # firewall-cmd --add-service=dns-over-tls
    Copy to Clipboard

  2. Optional: To use a custom PEM-formatted certificate and key for DoT issued by an external certificate authority, create the files: 

    $ openssl req \
  -newkey rsa:2048 \
  -nodes \
  -keyout /etc/pki/tls/certs/privkey.pem \
  -x509 \
  -days 36500 \
  -out /etc/pki/tls/certs/certificate.pem \
  -subj "/C=<country_code>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<idm_server_fqdn>/emailAddress=<email>" && \
  chown named:named /etc/pki/tls/certs/privkey.pem /etc/pki/tls/certs/certificate.pem
    Copy to Clipboard
  3. Install the IdM server with integrated DNS:
Note

If you do not strictly require DoT, you can omit the --dns-policy option. The installer then uses the default relaxed policy.

  • To install the IdM server with externally issued keys and certificates, specify the certificate and key paths: 

    # ipa-server-install --setup-dns --dns-over-tls --dot-forwarder "<server_ip>#<dns_server_hostname>" --dns-policy enforced --dns-over-tls-cert /etc/pki/tls/certs/certificate.pem --dns-over-tls-key /etc/pki/tls/certs/privkey.pem --no-dnssec-validation --auto-reverse --domain <domain_name> --realm <realm_name> --hostname <idm_server_fqdn> -p <admin_password> -a <admin_password> -U
    Copy to Clipboard

  • To install the IdM server with the integrated IdM CA, run the following command: 

    # ipa-server-install --setup-dns --dns-over-tls --dot-forwarder "<server_ip>#<dns_server_hostname>" --dns-policy enforced --no-dnssec-validation --auto-reverse --domain <domain_name> --realm <realm_name> --hostname <idm_server_fqdn> -p <admin_password> -a <admin_password> -U
    Copy to Clipboard

Troubleshooting

  1. Enable detailed logging for the unbound service: 

    # unbound-control verbosity 3
    Copy to Clipboard

  2. Restart the unbound service to apply the updated configuration: 

    # systemctl restart unbound
    Copy to Clipboard

  3. Monitor real-time logs of the unbound service: 

    $ journalctl -u unbound -f
    Copy to Clipboard

29.3. Configuring client and replica systems to use DoT exclusively

To enforce DoT communication, you must configure clients and replica systems to use a DoT-capable resolver. You must update the DNS settings in NetworkManager to enable eDNS communication. This configuration is only required when the --dns-policy is set to enforced.

Prerequisites

  • Review the steps outlined in Preparing the system for IdM client installation and Preparing the system for an IdM replica installation.

  • Ensure the following packages are installed:

    • ipa-server-encrypted-dns

    • ipa-client-encrypted-dns

      Important

      The ipa-server-encrypted-dns package requires a newer version of the bind-utils package than the version installed by default on RHEL. Run sudo dnf install ipa-server ipa-server-encrypted-dns --allowerasing to allow the package manager to remove the older bind-utils package and install the version required by ipa-server-encrypted-dns.

Procedure

  1. Copy the IdM server’s DoT certificate to the client and replica system. 

    $ scp /etc/pki/tls/certs/bind_dot.crt <username>@<ip>:/etc/pki/ca-trust/source/anchors/
    Copy to Clipboard

  2. Update the system-wide trust store configuration: 

    # update-ca-trust extract
    Copy to Clipboard

  3. On the client and replica system, install the dnsconfd package: 

    # dnf install dnsconfd
    Copy to Clipboard

  4. Generate the default configuration files for DoT on your system: 

    dnsconfd config install
    Copy to Clipboard

  5. Enable the dnsconfd service: 

    # systemctl enable --now dnsconfd
    Copy to Clipboard

  6. Reload NetworkManager to apply the configuration: 

    # nmcli g reload
    Copy to Clipboard

  7. Configure the system’s DNS settings in NetworkManager. 

    # nmcli device modify <device_name> ipv4.dns dns+tls://<idm_server_ip>

Connection successfully reapplied to device '<device_name>'.
    Copy to Clipboard

29.4. Installing an IdM client configured to use eDNS

You can install an IdM client with DNS-over-TLS (DoT) enabled by performing the non-interactive installation. This setup applies the enforced DoT policy and requires the client to use eDNS queries exclusively.

Prerequisites

Procedure

  • Install an IdM client with DoT enabled: 

    # ipa-client-install --domain <domain_name> --dns-over-tls -p admin --password <admin_password> -U
    Copy to Clipboard

Verification

  1. On the IdM client, review cat /etc/unbound/unbound.conf: 

    $ cat /etc/unbound/unbound.conf
    Copy to Clipboard
  2. Verify that the configuration contains the IP address and hostname of the IdM server.

Troubleshooting

  1. On the IdM client, run a DNS query to trigger traffic: 

    $ dig <domain_name>
    Copy to Clipboard
  2. Review the logs on the IdM server to verify that the query was routed through DoT.

29.5. Installing an IdM replica configured to use eDNS

You can install an IdM replica with eDNS in an environment where the IdM server has DoT enabled.

When you install the replica with the integrated DNS service, the replica uses the same configuration as the IdM server. It runs BIND to handle incoming DNS queries, including encrypted queries, and uses unbound for outgoing encrypted DNS traffic.

When you install the replica without the integrated DNS service, the replica inherits the client-side configuration. It uses unbound with a DoT forwarder to send encrypted DNS queries to the IdM DNS server.

Prerequisites

Procedure

  1. Add the dns-over-tls service to the system firewall to open port 853/TCP for DoT traffic: 

    # firewall-cmd --add-service=dns-over-tls
    Copy to Clipboard

  2. Depending on whether you want the replica to manage DNS records, choose one of the following:

    • To install an IdM replica with integrated DNS: 

      # ipa-replica-install --setup-dns --dns-over-tls --dot-forwarder <server_ip>#<dns_server_hostname>
      Copy to Clipboard

    • To install an IdM replica without integrated DNS: 

      # ipa-replica-install --dns-over-tls
      Copy to Clipboard

Verification

  • On the IdM server, list all replicas in the topology: 

    # ipa-replica-manage list-ruv
    Copy to Clipboard

29.6. Configuring an existing IdM DNS server to use eDNS

You can enable DNS-over-TLS (DoT) on an existing Identity Management (IdM) server by reconfiguring the integrated DNS service. Use the ipa-dns-install utility with DoT-specific options to update the DNS configuration without reinstalling the server.

Prerequisites

  • You have root access to the IdM server.
  • DNS is already installed on the IdM server.

Procedure

  1. Optional: Verify that your IdM server uses integrated DNS: 

    $ ipa server-role-find --role 'DNS server'
---------------------
1 server role matched
---------------------
  Server name: server.idm.example.com
  Role name: DNS server
  Role status: enabled
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard

  2. Update the integrated DNS service to enable DoT and configure DoT policy and forwarders: 

    # ipa-dns-install --dns-over-tls --dot-forwarder "<server_ip>#<dns_server_hostname>" --dns-policy enforced -U
    Copy to Clipboard

  3. Add the dns-over-tls service to the system firewall to open port 853/TCP for DoT traffic: 

    # firewall-cmd --add-service=dns-over-tls
    Copy to Clipboard

Verification

  • Verify that the firewall allows DoT traffic: 

    # firewall-cmd --list-services
    Copy to Clipboard

29.7. DoT configuration options for ipa-server-install and ipa-dns-install

Learn about the available configuration options for enabling eDNS in your IdM deployment. You can use the same options to enable eDNS during a new IdM server installation using the ipa-server-install or to modify an existing installation using the ipa-dns-install command.

  • --dns-over-tls enables DoT
  • --dot-forwarder specifies upstream DoT servers using the --dot-forwarder <server_ip_1><dns_server_hostname_1> --dot-forwarder <server_ip_2><dns_server_hostname_2> format
  • --dns-over-tls-key and --dns-over-tls-cert to configure custom keys and certificates

  • --dns-policy sets the DNS security policy

    • --dns-policy=relaxed allows both encrypted (DoT) and unencrypted DNS queries. The system attempts to use DoT but falls back to unencrypted DNS if DoT is unavailable. This is the default policy.
    • --dns-policy=enforced requires only encrypted DNS communication. The system strictly enforces DoT, and rejects any DNS resolution that does not support encryption, including discovery from IdM clients and replicas.
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat