Stealth NS records

Browne, Stuart Stuart.Browne at team.neustar
Tue Apr 3 23:24:27 UTC 2018


A number of places use a 'stealth' (or 'hidden') master as a bit of protection from potential bad actors. It's a network domain barrier between the master (usually on an internal-only network) from a public network with potential bad actors.

For example, a dynamic update for a zone will contact the mname defined in the SOA record unless told otherwise. If you watch your DNS traffic closely on a properly configured public authoritative server, you will see many failed dynamic updates.

I agree with Darcy in that it causes zones to be inaccurate from an integrity checking perspective; on a properly configured server, there should be no security issues, but it can create some piece of mind.

The concept, I believe, is a hold-out behaviour older environments where the software security couldn't be trusted (or you work in a paranoid-security-culture company).

Stuart

> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of
> Darcy Kevin (FCA)
> Sent: Wednesday, 4 April 2018 7:42 AM
> To: bind-users at lists.isc.org
> Subject: [EXTERNAL] RE: Stealth NS records
> 
> "Stealth" implies something that isn't seen in the normal course of
> activity, so it's really the *wrong* word to use here, since the apex NS
> records are seen during normal iterative resolution, and in fact the apex
> NS records take precedence over the delegated NS records in the sense of
> RFC 2181 data-ranking. So, to call them "stealth" seems mistaken, and
> misleading.
> 
> A better term than "stealth NS" would be "mismatched NS". From an
> integrity-check perspective, IMO the mismatch condition should be flagged
> as questionable if the apex NS records are a superset of the delegated
> ones, and worrisome if completely disjoint.
> 
> 
> 			- Kevin
> 
> 
> 
> -----Original Message-----
> From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Matus
> UHLAR - fantomas
> Sent: Friday, March 30, 2018 4:27 AM
> To: bind-users at lists.isc.org
> Subject: Re: Stealth NS records
> 
> On 30.03.18 15:44, PANG J. wrote:
> >I saw a zone check on intodns.com shows,
> >
> >Stealth NS records were sent:
> >ns2.xxx.com
> >ns1.xxx.com
> >
> >So what's a stealth NS record?
> 
> https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__massivedns.com_blog_dns-2Dreport-2Dtutorials_what-2Dare-2Dstealth-
> 2Dns-
> 2Drecords_&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6
> LRGu5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=fOk8VAH
> JBEQHZKHQg_MmDjog8kkvcyx2MxaUKeC7vXo&e=
> 
> maybe I could explain more deeply if you have sent the domain.
> 
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ;
> https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__www.fantomas.sk_&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab
> 5xo_vLbUE6LRGu5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss
> &s=vCrjKTQXZ0_8Hbsun2FSpJ3jDWde90bS-EUlioBPFQ0&e=
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux IS user friendly, it's just selective who its friends are...
> _______________________________________________
> Please visit https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__lists.isc.org_mailman_listinfo_bind-
> 2Dusers&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRG
> u5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=GYBqR0XLzb
> LyreHLjhVv8W55ubpSa-93WNQlX1JXnZA&e= to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__lists.isc.org_mailman_listinfo_bind-
> 2Dusers&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRG
> u5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=GYBqR0XLzb
> LyreHLjhVv8W55ubpSa-93WNQlX1JXnZA&e=
> _______________________________________________
> Please visit https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__lists.isc.org_mailman_listinfo_bind-
> 2Dusers&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRG
> u5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=GYBqR0XLzb
> LyreHLjhVv8W55ubpSa-93WNQlX1JXnZA&e= to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__lists.isc.org_mailman_listinfo_bind-
> 2Dusers&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRG
> u5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=GYBqR0XLzb
> LyreHLjhVv8W55ubpSa-93WNQlX1JXnZA&e=


More information about the bind-users mailing list