Hidden Master DNS advice

[Paul Hutchings]

I would like to use a box in our DMZ running 2003 DNS server as a hidden
master for some domains we have registered.

Let's call is ns.master.com

I know to only have the publicly accessible DNS servers listed at the
root servers, and as NS records on the zone.

So I'd have:

ns0.provider.com
ns1.provider.com
ns2.provider.com

The provider (provider.com) we use is configured to query for updates
from a specified IP address for each domain (that of ns.master.com).

The master is configured to allow zone transfers for their IP address.

They don't support notification so it's disabled on ns.master.com for
each domain.

What should I set the SOA records to?

I guess if I want a fully hidden master I would set it to
ns0.provider.com rather than ns.master.com - but I'm not sure if it
would break anything?

TIA,
Paul

 

[Kevin D. Goodknecht Sr. [MVP]]

I would like to use a box in our DMZ running 2003 DNS server as a
hidden master for some domains we have registered.

Let's call is ns.master.com

I know to only have the publicly accessible DNS servers listed at the
root servers, and as NS records on the zone.

So I'd have:

ns0.provider.com
ns1.provider.com
ns2.provider.com

The provider (provider.com) we use is configured to query for updates
from a specified IP address for each domain (that of ns.master.com).

The master is configured to allow zone transfers for their IP address.

They don't support notification so it's disabled on ns.master.com for
each domain.

What should I set the SOA records to?

I guess if I want a fully hidden master I would set it to
ns0.provider.com rather than ns.master.com - but I'm not sure if it
would break anything?

If the Secondary servers do not support Notify, you cannot have a fully
hidden master. The SOA record will need to show the MNAME of the master
server, and it must be able to resolve its IP address with a glue record.
You can still have a hidden master, but the SOA record must have the name of
the master, and you will need a record for the primary name server name. You
do not necessarily need an NS record for the master, and you won't want to
have the master DNS on the public record.
http://www.dyndns.com/support/kb/archives/running_a_hidden_primary.html

 

[Paul Hutchings]

If the Secondary servers do not support Notify, you cannot have a fully
hidden master. The SOA record will need to show the MNAME of the master
server, and it must be able to resolve its IP address with a glue record.
You can still have a hidden master, but the SOA record must have the name of
the master, and you will need a record for the primary name server name. You
do not necessarily need an NS record for the master, and you won't want to
have the master DNS on the public record.
http://www.dyndns.com/support/kb/archives/running_a_hidden_primary.html

Hi Kevin,

Thanks for the reply. This is the KB article from the provider I use:

http://esupport.gradwell.net/index.php?_m=knowledgebase&_a=viewarticle&kb
articleid=35

I'm a little confused by the SOA issue.

If my provider pulls transfers from a specified IP using a script
(rather than looking at the SOA which is what I believe usually happens
with zone transfers) I don't see why the SOA would need to be the real
master?

I'm trying to understand the process a little better rather than just
filling in boxes blindly

cheers,
Paul