Master for domain as set in SOA is not visible to world

Mathias Koerber mathias at
Thu Mar 9 01:29:41 UTC 2000

On Wed, 8 Mar 2000 lhcash at wrote:

| Date: Wed, 8 Mar 2000 14:39:14 -0500
| From: lhcash at
| To: bind-users at
| Subject: Master for domain as set in SOA is not visible to world
| Hi, I'm asking about something I'm pretty sure will *work*, but I'm not
| sure how good an idea it is.  I have a domain (call it  I want
| to make the master for this domain a system which is the master for some
| internal (not visible to the world) domains.  The only systems visible to
| the world (and the ones which will, therefore, be listed in the NS records,
| etc.) are slaves.  This system is, of course, behind a firewall and not
| reachable...and I really don't want anyone outside our group to even know
| this system exists, for obvious reasons.  

Sure this works. This ia s standard 'stealth master'  config.
Just don't list the master in *any* NS records (inside the zone and 
in the delegation record atthe parent zone). Then configure your firewall to only
allow your slaves to perform queries (for serial number check) and zonetransfers.

| The alternative is either (1) to
| move the master to one of the external systems, thereby increasing
| administrative overhead tremendously (lots of domains, lots of nameservers
| in our setup) and putting the master in our DMZ (where I don't want it), or
| (2) to make the server listed in the SOA record something other than the
| real master, which means the master will, of course, not see itself as
| authoritative.

A master will see itself as authoritative if it
	a) has a configuration entry for a zone as master
and	b) manages to load the zone from its zonefile w/o error

Whether it iself appears in the MNAME field or any NS records has no
influence (at least not in standard BIND).

| I am wondering especially about the second alternative - I am assuming (I
| haven't tried it yet, though) that the external secondaries/slaves will
| still return authoritative answers, as long as they are listed in the NS
| records for the domain - and since these are the only servers queryable by
| the world at large, this should suffice.  Is my reasoning sound, and are
| there any sticky issues I'm missing here?
| -Sandy
| --
| Sandy Cash
| Systems Administrator, Unix Geek
| lhcash at
| (919) 254-6482 t/l 444

Mathias Koerber	  | Tel: +65 / 471 9820    |   mathias at
SingNet NOC	  | Fax: +65 / 475 3273    |            mathias at
Q'town Tel. Exch. | PGP: Keyid: 768/25E082BD, finger mathias at
2 Stirling Rd     |      1A 8B FC D4 93 F1 9A FC BD 98 A3 1A 0E 73 01 65
S'pore 148943     | Disclaimer: I speak only for myself
* Eifersucht ist eine Leidenschaft, die mit Eifer sucht, was Leiden schafft *

More information about the bind-users mailing list