exposure of hidden-master stealth dns server on public-facing authoritative slave

Clash Royale CLAN TAG#URR8PPP

up vote
2
down vote

favorite

1

In a typical hidden-master DNS network layout, there are basically two components:

• hidden master DNS server, may be behind a NAT or firewall, or be totally exposed


• slave authoritative non-recursive DNS server(s)

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

While at first, those required server and allow-update seem to require IP address match list. This leaves the named.conf as the primary source of such stealth information (ie. IP address of the hidden-master).

Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?

Key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.

bind internal-dns dns-hosting

share

edited 1 hour ago

asked 3 hours ago

Egbert S

386217

add a comment | 

up vote
2
down vote

favorite

1

In a typical hidden-master DNS network layout, there are basically two components:

• hidden master DNS server, may be behind a NAT or firewall, or be totally exposed


• slave authoritative non-recursive DNS server(s)

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

While at first, those required server and allow-update seem to require IP address match list. This leaves the named.conf as the primary source of such stealth information (ie. IP address of the hidden-master).

Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?

Key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.

bind internal-dns dns-hosting

share

edited 1 hour ago

asked 3 hours ago

Egbert S

386217

add a comment | 

up vote
2
down vote

favorite

1

up vote
2
down vote

favorite

1

1

In a typical hidden-master DNS network layout, there are basically two components:

• hidden master DNS server, may be behind a NAT or firewall, or be totally exposed


• slave authoritative non-recursive DNS server(s)

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

While at first, those required server and allow-update seem to require IP address match list. This leaves the named.conf as the primary source of such stealth information (ie. IP address of the hidden-master).

Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?

Key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.

bind internal-dns dns-hosting

share

edited 1 hour ago

asked 3 hours ago

Egbert S

386217

In a typical hidden-master DNS network layout, there are basically two components:

• hidden master DNS server, may be behind a NAT or firewall, or be totally exposed


• slave authoritative non-recursive DNS server(s)

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

While at first, those required server and allow-update seem to require IP address match list. This leaves the named.conf as the primary source of such stealth information (ie. IP address of the hidden-master).

Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?

Key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.

bind internal-dns dns-hosting

bind internal-dns dns-hosting

share

edited 1 hour ago

asked 3 hours ago

Egbert S

386217

share

edited 1 hour ago

asked 3 hours ago

Egbert S

386217

share

share

edited 1 hour ago

edited 1 hour ago

edited 1 hour ago

asked 3 hours ago

Egbert S

386217

asked 3 hours ago

Egbert S

386217

asked 3 hours ago

Egbert S

386217

386217

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
3
down vote

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.

They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.

But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Tom

1,287221

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
  – Egbert S
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
  – Egbert S
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
  – Tom
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
  – Tom
  1 hour ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936305%2fexposure-of-hidden-master-stealth-dns-server-on-public-facing-authoritative-slav%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.

They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.

But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Tom

1,287221

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
  – Egbert S
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
  – Egbert S
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
  – Tom
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
  – Tom
  1 hour ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.

They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.

But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Tom

1,287221

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
  – Egbert S
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
  – Egbert S
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
  – Tom
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
  – Tom
  1 hour ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

up vote
3
down vote

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.

They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.

But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Tom

1,287221

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.

They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.

But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Tom

1,287221

share|improve this answer

share|improve this answer

edited 1 hour ago

edited 1 hour ago

edited 1 hour ago

answered 2 hours ago

Tom

1,287221

answered 2 hours ago

Tom

1,287221

answered 2 hours ago

Tom

1,287221

1,287221

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
  – Egbert S
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
  – Egbert S
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
  – Tom
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
  – Tom
  1 hour ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
  – Egbert S
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
  – Egbert S
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
  – Tom
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
  – Tom
  1 hour ago
  

  
  
  
  

Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
– Egbert S
2 hours ago

Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
– Egbert S
2 hours ago

Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
– Egbert S
2 hours ago

Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
– Egbert S
2 hours ago

Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
– Tom
1 hour ago

Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
– Tom
1 hour ago

@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
– Tom
1 hour ago

@EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
– Tom
1 hour ago

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936305%2fexposure-of-hidden-master-stealth-dns-server-on-public-facing-authoritative-slav%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email