Stealth NS records

Grant Taylor gtaylor at
Wed Apr 4 15:08:09 UTC 2018

On 04/03/2018 05:24 PM, Browne, Stuart via bind-users wrote:
> A number of places use a 'stealth' (or 'hidden') master as a bit of 
> protection from potential bad actors. It's a network domain barrier 
> between the master (usually on an internal-only network) from a public 
> network with potential bad actors.

I thought hidden master configurations did not include the MNAME server 
in any of the published NS records in the zone or registered with the 
registrar (or parent zone).

So, I don't see the MNAME being related to (poorly named?) "stealth" 
name servers if it's not included in either the published NS records or 
registered with the registrar (parent zone).

> For example, a dynamic update for a zone will contact the mname defined 
> in the SOA record unless told otherwise. If you watch your DNS traffic 
> closely on a properly configured public authoritative server, you will 
> see many failed dynamic updates.

There's opportunity to play with this traffic.  }:-)

I worked in a network that had a service name for the MNAME 
(mname.$zone) that was using (different) apex overrides on each server 
to cause mname.$zone to resolve to the local server.  Said servers were 
configured to forward updates to the master server(s) that they were 
slaving zones from.

Doing this allowed Windows clients to send DDNS updates to the DNS 
server they could reach which would then forward them up the chain to 
the real master (which the clients could not reach).  This actually 
worked out quite well and avoided a LOT of Windows / AD related indigestion.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list