problem "hiding" master server

Kevin Darcy kcd at daimlerchrysler.com
Tue Jun 26 20:17:03 UTC 2001 

chr at songnetworks.dk wrote:

> My setup is as follows:
> 2 caching only name servers: dns.x.x. and dns2.x.x.
> 3 authoritative "reachable" slave name servers: ns.x.x., ns2.x.x. and
> ns3.x.x.
> 1 master authoritative which isn't reachable from outside: master.x.x.
>
> The authoritative name servers are configured to run without root zone, this
> is done by:
>         recursion no;
>         fetch-glue no;
>
> on the slave servers the zones are configured with:
> zone "x.x" in {
>   type slave;
>   file "x.x";
>   masters {x.x.x.x;  };
> };
>
> however I often get the error:
>
> default: sysquery: nlookup error on ?
>
> If I add the root zone the error seems to stop, isn't it possible to run
> without root zone, or do I then just have to ignore this error??

You need a root zone. Why do you think it is so important to not have one? If
you respond with a root-zone referral to clients, you're not disclosing any
information that they can't easily get elsewhere.

> All zone-editing is done on the "hidden" master server, all zones have the
> following SOA and NS records:
> @ 86400 in soa ns.x.x. hostmaster.x.x. ( 2001061403 28800 7200 604800
> 86400 )
> @ 86400 in ns ns.x.x.
> @ 86400 in ns ns2.x.x.
> @ 86400 in ns ns3.x.x.
>
> The problem is that ns.x.x isnt notified, and from what I understand from
> DNS and BIND its because that the master specified in the SOA which also has
> an NS record is assumed to be the master itself and should therefore not be
> notified! I guess a solution would be to specify master.x.x. as the master
> server in the SOA record and add an NS record for it, that way it doesnt
> notify itself but all the slaves....
>
> However, the idea was to "hide" the master server so nobody can send queries
> to it from outside, and Im not sure the master specified in the SOA record
> can be unreachable, wouldnt that be a problem?´
>
> A better solution might be to specify ns.x.x. as the master server and then
> use the "also-notify ns.x.x" on the master server, that way ns.x.x. should
> be notified even though the server believe its the master....
>
> It seems there a number of solutions, but my idea was that the slave servers
> should only handle queries and not notifying/pulling zones from each other,
> this should instead be done by the master server which doesnt use CPU on
> answering queries.. Anyone have any comments/suggestions? Perhaps from a
> similar setup?

Look at the "notify explicit" option in BIND 9. That's what I use on our hidden
master.


- Kevin

More information about the bind-users mailing list