Hiding a stealth master...kludge advice needed
Kevin Darcy
kcd at daimlerchrysler.com
Mon Dec 8 22:02:09 UTC 2003
Stewart Dean wrote:
>In the excellent O'Reilly DNS & Bind Cookbook, Cricket Liu lays out a
>recipe
>(section 7.3) on how to configure a stealth master DNS/Bind server. I
>blundered my way into implementing this using Bind9 under AIX.
>
>But it seemed to me that the master wasn't completely hidden, because
>the wily hacker could discovering the stealth master's name by doing
>an nslookup of the SOA record and finding it in the MNAME.
>
>So I put the slave's name in as the MNAME.
>
>Alas, the IXFR didn't work because the refresh process doesn't notify
>the MNAME...took me a while to figure that out.
>
>So, I came to the conclusion that I can *make* it work either by
>==> just putting the raw domain (bard.edu) as the MNAME (is it really
>used for something that will cause gried if kludged like this?)
>OR
>==> putting the slave back in as the MNAME, but also putting a
>also-notify option statement in the named.conf
>
>Either seems to work, but are there any gotchas or you-idioits hidden
>in
>doing this? Or is there a better way?
>
Either way should work. As far as I can recall, the MNAME is only used
for NOTIFY and Dynamic Update. If you've already taken care of NOTIFY,
and are not using Dynamic Update, then whatever you put in the MNAME
shouldn't really matter.
- Kevin
More information about the bind-users
mailing list