Setup a hidden master

[Andrew Baker]

Dear List,
We are based in the middle east and manage a lot of domains across a lot of tld's including regional ones. Not all registrars are equal and the DNS services of several weren't offering what we required. For a number of operational and political reasons, it was decided to setup a distributed public DNS for our domains that we managed. It was an interesting project as it's the first time we've used bind in anger.

We now have a master and two slave DNS servers in two of our DC's in the region and have additional slaves outside the region to provide DR resilience for around 40% of our domains that are actually active. Everything is running smoothly now, and I'd like to take one final step to make the master DNS hidden and leave the slaves to handle all the requests.
I can see two possible ways of doing this....

  1.  Configure the "allow queries from" to just the slave servers
  2.  Setup rules on our external firewall to block requests from anything other than the slave servers
Which of the above is the better option, should I do both or is there something else I should be doing instead of/as well?
My other question relates to the domain registrars. Once I "hide" the master server, do I also need to remove it from the list of name servers for the domain on the registrar's sites or is it ok to leave it even though it can't be queried?

Thanks in advance

Andy Baker

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220215/b8e5eef1/attachment.htm>