stealth with views?

Kevin Darcy kcd at chrysler.com
Thu Nov 7 22:56:12 UTC 2013 

There's no requirement that the contents of SOA.MNAME have a matching A 
record in the zone. Even if such a formal requirement existed, you might 
be able to satisfy it by putting an A record of 0.0.0.0 in the zone. 
That doesn't expose much :-)

If you're paranoid about zone expiration, tune the EXPIRE setting really 
high. Just be aware, if you do that, then if you change providers some 
day, your old provider may be serving up a stale version of the zone for 
a while, even if you stop zone transfers to them.

For that matter, you're not limited to using standards-based 
master/slave replication. Many folks use rsync to keep their slave zone 
files in sync with their master (you'd define the zone as "master" 
everywhere and then use some out-of-band mechanism whenever it changes, 
e.g. rndc, to tell the "slaves" to reload the zone). Many commercial DNS 
systems (e.g. Infoblox) have their own proprietary replication 
mechanisms built-in. Once you depart from standards-based master/slave 
replication, then zone expiration has only the meaning that your other 
replication mechanism assigns to it, or perhaps no meaning at all.

I've been running a "hidden master" setup for decades, for all of our 
external-facing zones. It works well. I can't imagine doing it any other 
way -- am I going to expose my real primary master to the Internet? No 
thanks.

                                     - Kevin


On 11/7/2013 1:52 PM, Jonathan Reed wrote:
> I'd like my global BIND server to slave a copy of my zone from the 
> master being hosted on my LAN. It appears that this is called a 
> stealth setup. I figured I'd achieve this by having the secondary on 
> the internet slave a view, but I've read that this is not ideal from a 
> security standpoint. The argument being that the zone file contains an 
> IP address of it's master. So whats the best way to do this?
>
> A stealth scenario also seems susceptible to a higher chance where the 
> connection is lost between master and slave (complicated by a LAN 
> firewall/ISP in between) and the expire exceeding. We're hosting our 
> global DNS through a provider, so there doesnt seem like an easy way 
> to monitor and confirm a zone transfer from our master alone. Any 
> recommendations?
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131107/6eec3126/attachment.html>

More information about the bind-users mailing list