"Hidden Master" visible slave
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jan 11 22:26:25 UTC 2006
carcarx at hotmail.com wrote:
>No, it's not a big-budget Chinese kung-fu movie. ;-)
>
>We want to set up a DNS server for departmental administrators to
>maintain
>their own zones, but not "mess" with our primary nameservers.
>
>Our idea is to have that "departmental" nameserver master some zones
>with our primary nameservers being the slaves for those zones, but
>we don't want the departmental server to be visible to the internet.
>
Well, you can hide the *contents* of the departmental zones from
Internet clients, just by putting allow-query restrictions on them. If
you want to hide the fact that the zones exist, however, then that
requires a little more work. The "proper" way is to maintain two
different versions of your DNS in parallel -- the internal version,
which would have those subzone delegations in it, and the external
version, which wouldn't.
>Since the authoritative server for those zones won't be visible the
>clients should look to the visible ones (with some delay).
>
I assume what you're describing here is publishing a mixture of
Internet-reachable and non-Internet reachable nameservers in your zones.
That may _work_, but it's a really messy and kludgey way to go about
things. Really, you shouldn't be publishing internal nameserver
information to the Internet.
>Any docs about how to automatically avoid referrals to the departmental
>server (aside from tcp/ip rerouting trickery).
>
Not sure I understand what you mean by "referrals" in this context.
Since your "primary nameservers" in this case are slaves for the
subzones, they'll be sending back "real" responses or REFUSED responses,
depending on your allow-query settings. Referrals would only come from a
nameserver that was non-authoritative for a particular zone, but
authoritative for one of its ancestor zones (e.g. a TLD server when
queried for www.<something>.<TLD>).
Perhaps instead of "avoid[ing] referrals", you meant just selectively
suppressing certain NS records from responses going back to the Internet
(??). BIND has no such ability to "edit" responses arbitrarily on the
fly, although the "minimal-responses" option at least suppresses *all*
NS records in the cases where they are not mandatory. I don't think that
covers all cases though; you could still get some "leakage".
- Kevin
More information about the bind-users
mailing list