exposure of hidden-master stealth dns server on public-facing authoritative slave
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
In a typical hidden-master DNS network layout, there are basically two components:
- hidden master DNS server, may be behind a NAT or firewall, or be totally exposed
- slave authoritative non-recursive DNS server(s)
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server
, allow-update
, allow-transfer
, and some ACLs.
While at first, those required server
and allow-update
seem to require IP address match list. This leaves the named.conf
as the primary source of such stealth information (ie. IP address of the hidden-master).
Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf
file?
Key answer IâÂÂm looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.
bind internal-dns dns-hosting
add a comment |Â
up vote
2
down vote
favorite
In a typical hidden-master DNS network layout, there are basically two components:
- hidden master DNS server, may be behind a NAT or firewall, or be totally exposed
- slave authoritative non-recursive DNS server(s)
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server
, allow-update
, allow-transfer
, and some ACLs.
While at first, those required server
and allow-update
seem to require IP address match list. This leaves the named.conf
as the primary source of such stealth information (ie. IP address of the hidden-master).
Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf
file?
Key answer IâÂÂm looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.
bind internal-dns dns-hosting
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
In a typical hidden-master DNS network layout, there are basically two components:
- hidden master DNS server, may be behind a NAT or firewall, or be totally exposed
- slave authoritative non-recursive DNS server(s)
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server
, allow-update
, allow-transfer
, and some ACLs.
While at first, those required server
and allow-update
seem to require IP address match list. This leaves the named.conf
as the primary source of such stealth information (ie. IP address of the hidden-master).
Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf
file?
Key answer IâÂÂm looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.
bind internal-dns dns-hosting
In a typical hidden-master DNS network layout, there are basically two components:
- hidden master DNS server, may be behind a NAT or firewall, or be totally exposed
- slave authoritative non-recursive DNS server(s)
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server
, allow-update
, allow-transfer
, and some ACLs.
While at first, those required server
and allow-update
seem to require IP address match list. This leaves the named.conf
as the primary source of such stealth information (ie. IP address of the hidden-master).
Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf
file?
Key answer IâÂÂm looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.
bind internal-dns dns-hosting
bind internal-dns dns-hosting
edited 1 hour ago
asked 3 hours ago
Egbert S
386217
386217
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.
They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.
But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.
The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters
using only keys and then refer to those masters
in the allow-notify
etc statements. That way you do not need to specify the IP address of the hidden master server.
Will we be able to avoid the use of IP address inservers
option by using key(s) (for a match-list)?
â Egbert S
2 hours ago
Key answer IâÂÂm looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
â Egbert S
2 hours ago
Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
â Tom
1 hour ago
@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
â Tom
1 hour ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.
They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.
But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.
The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters
using only keys and then refer to those masters
in the allow-notify
etc statements. That way you do not need to specify the IP address of the hidden master server.
Will we be able to avoid the use of IP address inservers
option by using key(s) (for a match-list)?
â Egbert S
2 hours ago
Key answer IâÂÂm looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
â Egbert S
2 hours ago
Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
â Tom
1 hour ago
@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
â Tom
1 hour ago
add a comment |Â
up vote
3
down vote
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.
They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.
But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.
The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters
using only keys and then refer to those masters
in the allow-notify
etc statements. That way you do not need to specify the IP address of the hidden master server.
Will we be able to avoid the use of IP address inservers
option by using key(s) (for a match-list)?
â Egbert S
2 hours ago
Key answer IâÂÂm looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
â Egbert S
2 hours ago
Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
â Tom
1 hour ago
@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
â Tom
1 hour ago
add a comment |Â
up vote
3
down vote
up vote
3
down vote
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.
They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.
But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.
The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters
using only keys and then refer to those masters
in the allow-notify
etc statements. That way you do not need to specify the IP address of the hidden master server.
Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.
They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.
But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.
The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters
using only keys and then refer to those masters
in the allow-notify
etc statements. That way you do not need to specify the IP address of the hidden master server.
edited 1 hour ago
answered 2 hours ago
Tom
1,287221
1,287221
Will we be able to avoid the use of IP address inservers
option by using key(s) (for a match-list)?
â Egbert S
2 hours ago
Key answer IâÂÂm looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
â Egbert S
2 hours ago
Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
â Tom
1 hour ago
@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
â Tom
1 hour ago
add a comment |Â
Will we be able to avoid the use of IP address inservers
option by using key(s) (for a match-list)?
â Egbert S
2 hours ago
Key answer IâÂÂm looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
â Egbert S
2 hours ago
Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
â Tom
1 hour ago
@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
â Tom
1 hour ago
Will we be able to avoid the use of IP address in
servers
option by using key(s) (for a match-list)?â Egbert S
2 hours ago
Will we be able to avoid the use of IP address in
servers
option by using key(s) (for a match-list)?â Egbert S
2 hours ago
Key answer IâÂÂm looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
â Egbert S
2 hours ago
Key answer IâÂÂm looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
â Egbert S
2 hours ago
Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
â Tom
1 hour ago
Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
â Tom
1 hour ago
@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
â Tom
1 hour ago
@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
â Tom
1 hour ago
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936305%2fexposure-of-hidden-master-stealth-dns-server-on-public-facing-authoritative-slav%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password