stealth with views?

Sten Carlsen stenc at s-carlsen.dk
Thu Nov 7 19:10:34 UTC 2013 

This is pretty much what I do.

I have one server behind a NAT with two views: internal, resolving, has
all internal names - external, not resolving, has the master for my zones.

My DNS provider slaves my zones off the master on my LAN, I have not put
my master's IP in the zone data, what is in the file is not important.
Slaves transfer the zone data, not the file. I just checked and can not
find any trace of my IP in the output from the public servers.

I can check in my log when the slaves transfer the data, I have not had
any case where data ran out, set TTLs high enough.

I see a major panic when my ISP gives me a new IP (happens rarely, but
has happened), then I need to tell the slaves that a new master is in
place, can be done, but must be done right for this provider.


On 07/11/13 19.52, Jonathan Reed wrote:
> I'd like my global BIND server to slave a copy of my zone from the
> master being hosted on my LAN. It appears that this is called a
> stealth setup. I figured I'd achieve this by having the secondary on
> the internet slave a view, but I've read that this is not ideal from a
> security standpoint. The argument being that the zone file contains an
> IP address of it's master. So whats the best way to do this?
>
> A stealth scenario also seems susceptible to a higher chance where the
> connection is lost between master and slave (complicated by a LAN
> firewall/ISP in between) and the expire exceeding. We're hosting our
> global DNS through a provider, so there doesnt seem like an easy way
> to monitor and confirm a zone transfer from our master alone. Any
> recommendations?
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131107/b23ec77b/attachment.html>

More information about the bind-users mailing list