stealth with views?

Jonathan Reed cronstate at gmail.com
Thu Nov 7 20:27:14 UTC 2013


>
> Expire time should be at least a week. If your firewall blocks
> connections for that long, you have bigger problems than this.

Unless our sites change for disaster recovery, in which expire times might
be exceeded. However, I suppose one week would give me enough time to
adjust where the master is located at the DR site.

You don't have to put the hidden master in the public zone file.

you're right, I was mixed up between zone file and named.conf.


On Thu, Nov 7, 2013 at 2:23 PM, Barry Margolin <barmar at alum.mit.edu> wrote:

> In article <mailman.1637.1383850377.20661.bind-users at lists.isc.org>,
>  Jonathan Reed <cronstate at gmail.com> wrote:
>
> > I'd like my global BIND server to slave a copy of my zone from the master
> > being hosted on my LAN. It appears that this is called a stealth setup. I
> > figured I'd achieve this by having the secondary on the internet slave a
> > view, but I've read that this is not ideal from a security standpoint.
> The
> > argument being that the zone file contains an IP address of it's master.
> So
> > whats the best way to do this?
>
> You don't have to put the hidden master in the public zone file.
>
> >
> > A stealth scenario also seems susceptible to a higher chance where the
> > connection is lost between master and slave (complicated by a LAN
> > firewall/ISP in between) and the expire exceeding. We're hosting our
> global
>
> Expire time should be at least a week. If your firewall blocks
> connections for that long, you have bigger problems than this.
>
> > DNS through a provider, so there doesnt seem like an easy way to monitor
> > and confirm a zone transfer from our master alone. Any recommendations?
>
> --
> Barry Margolin
> Arlington, MA
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131107/e40c6587/attachment-0001.html>


More information about the bind-users mailing list