Setup a hidden master

Andrew Baker a.baker at salaminternational.com
Tue Feb 15 07:16:53 UTC 2022 

Thanks for the quick response and confirmation Ondřej

You have helped take my paranoia levels down at least one notch!

Andy Baker


From: Ondřej Surý <ondrej at isc.org>
Sent: Tuesday, February 15, 2022 10:12 AM
To: Andrew Baker <a.baker at salaminternational.com>
Cc: bind-users at lists.isc.org
Subject: Re: Setup a hidden master

Hi,

do both, or at least the firewall.

But you absolutely must remove the hidden primary from the list of NS both in the parent and child zones. That’s the most important thing to do. Start with that, the rest is just additional layers.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.


On 15. 2. 2022, at 8:06, Andrew Baker via bind-users <bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>> wrote:

Dear List,
We are based in the middle east and manage a lot of domains across a lot of tld’s including regional ones. Not all registrars are equal and the DNS services of several weren’t offering what we required. For a number of operational and political reasons, it was decided to setup a distributed public DNS for our domains that we managed. It was an interesting project as it’s the first time we’ve used bind in anger.

We now have a master and two slave DNS servers in two of our DC’s in the region and have additional slaves outside the region to provide DR resilience for around 40% of our domains that are actually active. Everything is running smoothly now, and I’d like to take one final step to make the master DNS hidden and leave the slaves to handle all the requests.
I can see two possible ways of doing this….

  1.  Configure the “allow queries from” to just the slave servers
  2.  Setup rules on our external firewall to block requests from anything other than the slave servers
Which of the above is the better option, should I do both or is there something else I should be doing instead of/as well?
My other question relates to the domain registrars. Once I “hide” the master server, do I also need to remove it from the list of name servers for the domain on the registrar’s sites or is it ok to leave it even though it can’t be queried?

Thanks in advance

Andy Baker

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220215/3b1e2b2d/attachment-0001.htm>

More information about the bind-users mailing list