Hiding a stealth master...kludge advice needed
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Mon Dec 8 22:32:07 UTC 2003
> In the excellent O'Reilly DNS & Bind Cookbook, Cricket Liu lays out a
> recipe
> (section 7.3) on how to configure a stealth master DNS/Bind server. I
> blundered my way into implementing this using Bind9 under AIX.
>
> But it seemed to me that the master wasn't completely hidden, because
> the wily hacker could discovering the stealth master's name by doing
> an nslookup of the SOA record and finding it in the MNAME.
>
> So I put the slave's name in as the MNAME.
>
> Alas, the IXFR didn't work because the refresh process doesn't notify
> the MNAME...took me a while to figure that out.
>
> So, I came to the conclusion that I can *make* it work either by
> ==> just putting the raw domain (bard.edu) as the MNAME (is it really
> used for something that will cause gried if kludged like this?)
> OR
> ==> putting the slave back in as the MNAME, but also putting a
> also-notify option statement in the named.conf
>
> Either seems to work, but are there any gotchas or you-idioits hidden
> in
> doing this? Or is there a better way?
>
> Thanks in advance!
Why don't you just put access controls on the master?
The intent of not listing the master in the NS records is
not to completely hide it. It is to move normal traffic
to the other servers.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list