stealth with views?
Barry Margolin
barmar at alum.mit.edu
Thu Nov 7 19:23:07 UTC 2013
In article <mailman.1637.1383850377.20661.bind-users at lists.isc.org>,
Jonathan Reed <cronstate at gmail.com> wrote:
> I'd like my global BIND server to slave a copy of my zone from the master
> being hosted on my LAN. It appears that this is called a stealth setup. I
> figured I'd achieve this by having the secondary on the internet slave a
> view, but I've read that this is not ideal from a security standpoint. The
> argument being that the zone file contains an IP address of it's master. So
> whats the best way to do this?
You don't have to put the hidden master in the public zone file.
>
> A stealth scenario also seems susceptible to a higher chance where the
> connection is lost between master and slave (complicated by a LAN
> firewall/ISP in between) and the expire exceeding. We're hosting our global
Expire time should be at least a week. If your firewall blocks
connections for that long, you have bigger problems than this.
> DNS through a provider, so there doesnt seem like an easy way to monitor
> and confirm a zone transfer from our master alone. Any recommendations?
--
Barry Margolin
Arlington, MA
More information about the bind-users
mailing list