Implementing Encrypted DNS in Fedora and Kubernetes Clusters with FreeIPA DNS

In modern identity-centric infrastructures, DNS is a critical—but often overlooked—component of a Zero-Trust Architecture. This talk, positioned within the IAM devroom's core infrastructure and security track, explores how environments that rely on FreeIPA as their authoritative DNS can adopt encrypted DNS end-to-end without sacrificing performance or operational clarity.

We present the results of our work integrating encrypted DNS across Fedora systems and Kubernetes clusters while seamlessly interacting with FreeIPA's BIND-based DNS service. Throughout this process, we identified key integration challenges, their practical resolutions, and the tangible security benefits gained from encrypting internal DNS traffic.

To validate the feasibility of this approach at scale, we performed extensive workload and performance tests—covering multiple orders of 1,000+ DNS requests per second—comparing encrypted vs. non-encrypted scenarios. These tests demonstrate how to achieve stronger security guarantees without imposing unacceptable latency or throughput penalties.

As part of this effort, we extended FreeIPA's DNS service with Prometheus-ready metrics, enabling real-time visibility into encrypted DNS performance, request patterns, and system-level statistics. These observability enhancements provide operators with the data required to meet and maintain Zero-Trust mandates.

By the end of the talk, attendees will understand not only how to deploy encrypted DNS in hybrid Fedora and Kubernetes environments, but also how to measure, validate, and operationalize it in a way that fully aligns with Zero-Trust principles.