Hiding a stealth master...kludge advice needed

Stewart Dean sdean at ulster.net
Mon Dec 8 16:13:12 UTC 2003


In the excellent O'Reilly DNS & Bind Cookbook, Cricket Liu lays out a
recipe
(section 7.3) on how to configure a stealth master DNS/Bind server.  I
blundered my way into implementing this using Bind9 under AIX.

But it seemed to me that the master wasn't completely hidden, because
the wily hacker could discovering the stealth master's name by doing
an nslookup of the SOA record and finding it in the MNAME.

So I put the slave's name in as the MNAME.

Alas, the IXFR didn't work because the refresh process doesn't notify
the MNAME...took me a while to figure that out.

So, I came to the conclusion that I can *make* it work either by
==> just putting the raw domain (bard.edu) as the MNAME (is it really
used for something that will cause gried if kludged like this?)
OR
==> putting the slave back in as the MNAME, but also putting a
also-notify option statement in the named.conf

Either seems to work, but are there any gotchas or you-idioits hidden
in
doing this?  Or is there a better way?

Thanks in advance!


More information about the bind-users mailing list