stealth with views?
Sten Carlsen
stenc at s-carlsen.dk
Thu Nov 7 19:10:34 UTC 2013
This is pretty much what I do.
I have one server behind a NAT with two views: internal, resolving, has
all internal names - external, not resolving, has the master for my zones.
My DNS provider slaves my zones off the master on my LAN, I have not put
my master's IP in the zone data, what is in the file is not important.
Slaves transfer the zone data, not the file. I just checked and can not
find any trace of my IP in the output from the public servers.
I can check in my log when the slaves transfer the data, I have not had
any case where data ran out, set TTLs high enough.
I see a major panic when my ISP gives me a new IP (happens rarely, but
has happened), then I need to tell the slaves that a new master is in
place, can be done, but must be done right for this provider.
On 07/11/13 19.52, Jonathan Reed wrote:
> I'd like my global BIND server to slave a copy of my zone from the
> master being hosted on my LAN. It appears that this is called a
> stealth setup. I figured I'd achieve this by having the secondary on
> the internet slave a view, but I've read that this is not ideal from a
> security standpoint. The argument being that the zone file contains an
> IP address of it's master. So whats the best way to do this?
>
> A stealth scenario also seems susceptible to a higher chance where the
> connection is lost between master and slave (complicated by a LAN
> firewall/ISP in between) and the expire exceeding. We're hosting our
> global DNS through a provider, so there doesnt seem like an easy way
> to monitor and confirm a zone transfer from our master alone. Any
> recommendations?
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131107/b23ec77b/attachment.html>
More information about the bind-users
mailing list