Hidden Master DNS advice

08/03/2006, 22h42

I would like to use a box in our DMZ running 2003 DNS server as a hidden
master for some domains we have registered.

Let's call is ns.master.com

I know to only have the publicly accessible DNS servers listed at the
root servers, and as NS records on the zone.

So I'd have:

ns0.provider.com
ns1.provider.com
ns2.provider.com

The provider (provider.com) we use is configured to query for updates
from a specified IP address for each domain (that of ns.master.com).

The master is configured to allow zone transfers for their IP address.

They don't support notification so it's disabled on ns.master.com for
each domain.

What should I set the SOA records to?

I guess if I want a fully hidden master I would set it to
ns0.provider.com rather than ns.master.com - but I'm not sure if it
would break anything?

TIA,
Paul
--
paul@spamcop.net

09/03/2006, 16h43

Paul Hutchings wrote:
> I would like to use a box in our DMZ running 2003 DNS server as a
> hidden master for some domains we have registered.
>
> Let's call is ns.master.com
>
> I know to only have the publicly accessible DNS servers listed at the
> root servers, and as NS records on the zone.
>
> So I'd have:
>
> ns0.provider.com
> ns1.provider.com
> ns2.provider.com
>
> The provider (provider.com) we use is configured to query for updates
> from a specified IP address for each domain (that of ns.master.com).
>
> The master is configured to allow zone transfers for their IP address.
>
> They don't support notification so it's disabled on ns.master.com for
> each domain.
>
> What should I set the SOA records to?
>
> I guess if I want a fully hidden master I would set it to
> ns0.provider.com rather than ns.master.com - but I'm not sure if it
> would break anything?

If the Secondary servers do not support Notify, you cannot have a fully
hidden master. The SOA record will need to show the MNAME of the master
server, and it must be able to resolve its IP address with a glue record.
You can still have a hidden master, but the SOA record must have the name of
the master, and you will need a record for the primary name server name. You
do not necessarily need an NS record for the master, and you won't want to
have the master DNS on the public record.
http://www.dyndns.com/support/kb/arc...n_primary.html

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

09/03/2006, 18h24

In article <#4fZVi5QGHA.3916@TK2MSFTNGP11.phx.gbl>,
"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote:

> If the Secondary servers do not support Notify, you cannot have a fully
> hidden master. The SOA record will need to show the MNAME of the master
> server, and it must be able to resolve its IP address with a glue record.
> You can still have a hidden master, but the SOA record must have the name of
> the master, and you will need a record for the primary name server name. You
> do not necessarily need an NS record for the master, and you won't want to
> have the master DNS on the public record.
> http://www.dyndns.com/support/kb/arc...n_primary.html

Hi Kevin,

Thanks for the reply. This is the KB article from the provider I use:

http://esupport.gradwell.net/index.p...viewarticle&kb
articleid=35

I'm a little confused by the SOA issue.

If my provider pulls transfers from a specified IP using a script
(rather than looking at the SOA which is what I believe usually happens
with zone transfers) I don't see why the SOA would need to be the real
master?

I'm trying to understand the process a little better rather than just
filling in boxes blindly :-)

cheers,
Paul
--
paul@spamcop.net

08/03/2006, 22h42	#1
Paul Hutchings Messages: n/a Hébergeur:	Hidden Master DNS advice I would like to use a box in our DMZ running 2003 DNS server as a hidden master for some domains we have registered. Let's call is ns.master.com I know to only have the publicly accessible DNS servers listed at the root servers, and as NS records on the zone. So I'd have: ns0.provider.com ns1.provider.com ns2.provider.com The provider (provider.com) we use is configured to query for updates from a specified IP address for each domain (that of ns.master.com). The master is configured to allow zone transfers for their IP address. They don't support notification so it's disabled on ns.master.com for each domain. What should I set the SOA records to? I guess if I want a fully hidden master I would set it to ns0.provider.com rather than ns.master.com - but I'm not sure if it would break anything? TIA, Paul -- paul@spamcop.net

09/03/2006, 16h43	#2
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: Hidden Master DNS advice Paul Hutchings wrote: > I would like to use a box in our DMZ running 2003 DNS server as a > hidden master for some domains we have registered. > > Let's call is ns.master.com > > I know to only have the publicly accessible DNS servers listed at the > root servers, and as NS records on the zone. > > So I'd have: > > ns0.provider.com > ns1.provider.com > ns2.provider.com > > The provider (provider.com) we use is configured to query for updates > from a specified IP address for each domain (that of ns.master.com). > > The master is configured to allow zone transfers for their IP address. > > They don't support notification so it's disabled on ns.master.com for > each domain. > > What should I set the SOA records to? > > I guess if I want a fully hidden master I would set it to > ns0.provider.com rather than ns.master.com - but I'm not sure if it > would break anything? If the Secondary servers do not support Notify, you cannot have a fully hidden master. The SOA record will need to show the MNAME of the master server, and it must be able to resolve its IP address with a glue record. You can still have a hidden master, but the SOA record must have the name of the master, and you will need a record for the primary name server name. You do not necessarily need an NS record for the master, and you won't want to have the master DNS on the public record. http://www.dyndns.com/support/kb/arc...n_primary.html -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ https://secure.lsaol.com/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

09/03/2006, 18h24	#3
Paul Hutchings Messages: n/a Hébergeur:	Re: Hidden Master DNS advice In article <#4fZVi5QGHA.3916@TK2MSFTNGP11.phx.gbl>, "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote: > If the Secondary servers do not support Notify, you cannot have a fully > hidden master. The SOA record will need to show the MNAME of the master > server, and it must be able to resolve its IP address with a glue record. > You can still have a hidden master, but the SOA record must have the name of > the master, and you will need a record for the primary name server name. You > do not necessarily need an NS record for the master, and you won't want to > have the master DNS on the public record. > http://www.dyndns.com/support/kb/arc...n_primary.html Hi Kevin, Thanks for the reply. This is the KB article from the provider I use: http://esupport.gradwell.net/index.p...viewarticle&kb articleid=35 I'm a little confused by the SOA issue. If my provider pulls transfers from a specified IP using a script (rather than looking at the SOA which is what I believe usually happens with zone transfers) I don't see why the SOA would need to be the real master? I'm trying to understand the process a little better rather than just filling in boxes blindly :-) cheers, Paul -- paul@spamcop.net

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email