exposure of hidden-master stealth dns server on public-facing authoritative slave

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite
1












In a typical hidden-master DNS network layout, there are basically two components:



  • hidden master DNS server, may be behind a NAT or firewall, or be totally exposed

  • slave authoritative non-recursive DNS server(s)

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.



While at first, those required server and allow-update seem to require IP address match list. This leaves the named.conf as the primary source of such stealth information (ie. IP address of the hidden-master).



Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?



Key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.









share



























    up vote
    2
    down vote

    favorite
    1












    In a typical hidden-master DNS network layout, there are basically two components:



    • hidden master DNS server, may be behind a NAT or firewall, or be totally exposed

    • slave authoritative non-recursive DNS server(s)

    Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.



    While at first, those required server and allow-update seem to require IP address match list. This leaves the named.conf as the primary source of such stealth information (ie. IP address of the hidden-master).



    Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?



    Key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.









    share

























      up vote
      2
      down vote

      favorite
      1









      up vote
      2
      down vote

      favorite
      1






      1





      In a typical hidden-master DNS network layout, there are basically two components:



      • hidden master DNS server, may be behind a NAT or firewall, or be totally exposed

      • slave authoritative non-recursive DNS server(s)

      Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.



      While at first, those required server and allow-update seem to require IP address match list. This leaves the named.conf as the primary source of such stealth information (ie. IP address of the hidden-master).



      Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?



      Key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.









      share















      In a typical hidden-master DNS network layout, there are basically two components:



      • hidden master DNS server, may be behind a NAT or firewall, or be totally exposed

      • slave authoritative non-recursive DNS server(s)

      Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.



      While at first, those required server and allow-update seem to require IP address match list. This leaves the named.conf as the primary source of such stealth information (ie. IP address of the hidden-master).



      Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?



      Key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.







      bind internal-dns dns-hosting





      share














      share












      share



      share








      edited 1 hour ago

























      asked 3 hours ago









      Egbert S

      386217




      386217




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote














          Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.




          They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.




          But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.




          The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.






          share|improve this answer






















          • Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
            – Egbert S
            2 hours ago











          • Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
            – Egbert S
            2 hours ago










          • Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
            – Tom
            1 hour ago










          • @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
            – Tom
            1 hour ago










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936305%2fexposure-of-hidden-master-stealth-dns-server-on-public-facing-authoritative-slav%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          3
          down vote














          Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.




          They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.




          But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.




          The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.






          share|improve this answer






















          • Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
            – Egbert S
            2 hours ago











          • Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
            – Egbert S
            2 hours ago










          • Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
            – Tom
            1 hour ago










          • @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
            – Tom
            1 hour ago














          up vote
          3
          down vote














          Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.




          They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.




          But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.




          The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.






          share|improve this answer






















          • Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
            – Egbert S
            2 hours ago











          • Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
            – Egbert S
            2 hours ago










          • Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
            – Tom
            1 hour ago










          • @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
            – Tom
            1 hour ago












          up vote
          3
          down vote










          up vote
          3
          down vote










          Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.




          They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.




          But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.




          The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.






          share|improve this answer















          Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.




          They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.




          But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.




          The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 1 hour ago

























          answered 2 hours ago









          Tom

          1,287221




          1,287221











          • Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
            – Egbert S
            2 hours ago











          • Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
            – Egbert S
            2 hours ago










          • Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
            – Tom
            1 hour ago










          • @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
            – Tom
            1 hour ago
















          • Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
            – Egbert S
            2 hours ago











          • Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
            – Egbert S
            2 hours ago










          • Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
            – Tom
            1 hour ago










          • @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
            – Tom
            1 hour ago















          Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
          – Egbert S
          2 hours ago





          Will we be able to avoid the use of IP address inservers option by using key(s) (for a match-list)?
          – Egbert S
          2 hours ago













          Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
          – Egbert S
          2 hours ago




          Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases.
          – Egbert S
          2 hours ago












          Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
          – Tom
          1 hour ago




          Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address.
          – Tom
          1 hour ago












          @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
          – Tom
          1 hour ago




          @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question?
          – Tom
          1 hour ago

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936305%2fexposure-of-hidden-master-stealth-dns-server-on-public-facing-authoritative-slav%23new-answer', 'question_page');

          );

          Post as a guest













































































          Comments

          Popular posts from this blog

          What does second last employer means? [closed]

          Installing NextGIS Connect into QGIS 3?

          One-line joke