Setup a hidden master
Mark Tinka
mark at tinka.africa
Tue Feb 15 07:16:13 UTC 2022
On 2/15/22 09:06, Andrew Baker via bind-users wrote:
> Dear List,
>
> We are based in the middle east and manage a lot of domains across a
> lot of tld’s including regional ones. Not all registrars are equal and
> the DNS services of several weren’t offering what we required. For a
> number of operational and political reasons, it was decided to setup a
> distributed public DNS for our domains that we managed. It was an
> interesting project as it’s the first time we’ve used bind in anger.
>
> We now have a master and two slave DNS servers in two of our DC’s in
> the region and have additional slaves outside the region to provide DR
> resilience for around 40% of our domains that are actually active.
> Everything is running smoothly now, and I’d like to take one final
> step to make the master DNS hidden and leave the slaves to handle all
> the requests.
>
> I can see two possible ways of doing this….
>
> 1. Configure the “allow queries from” to just the slave servers
> 2. Setup rules on our external firewall to block requests from
> anything other than the slave servers
>
I'd take the masters off the registrar NS list, and just leave the slaves.
DNS queries won't be sent to name servers that aren't listed as
authoritative for the zone.
In the background, the master will still control the zones and notify
the slaves of any record changes.
I suppose you can add a firewall rule on the masters to block unwanted
requests, but I try to make things as complicated as possible, and no
more so.
Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220215/ab2c2df5/attachment.htm>
More information about the bind-users
mailing list