 |  |  |  |  |  |  |  |
Hidden primary name server
Thread Solved |
Hi Friends,
I am in the middle of creating my design doc for DNS. My aim is to hide my primary NS from external world. And I am planning to use only secondary servers for query handling.
I have created XYZ.com zone and added two NS RRs which are secondary servers. I am forced to give my primary NS details when creating SOA record. Whether the primary NS RR, which we have given in the SOA RR will be safe for the internet (threats) or not?
One more added question. Whether I need to register my primary Name server in APNIC? Because, primary name server wont be published to the external world. Whether its really needed to register this in the APNIC?
I am in the middle of creating my design doc for DNS. My aim is to hide my primary NS from external world. And I am planning to use only secondary servers for query handling.
I have created XYZ.com zone and added two NS RRs which are secondary servers. I am forced to give my primary NS details when creating SOA record. Whether the primary NS RR, which we have given in the SOA RR will be safe for the internet (threats) or not?
One more added question. Whether I need to register my primary Name server in APNIC? Because, primary name server wont be published to the external world. Whether its really needed to register this in the APNIC?
>> I have created XYZ.com zone and added two NS RRs which are secondary servers. I am forced to give my primary NS details when creating SOA record. Whether the primary NS RR, which we have given in the SOA RR will be safe for the internet (threats) or not?
You can put whatever you want in your SOA area.
>>One more added question. Whether I need to register my primary Name server in APNIC? Because, primary name server wont be published to the external world. Whether its really needed to register this in the APNIC?
No
--
What you should do:
main.yourdomain.com -- main DNS server, unpublished
ns1.yourdomain.com -- your "primary" NS for the SOA/APNIC, but it is truly just the "main slave" in your setup.
ns2.yourdomain.com -- another slave
Set up the zones on the main (unpublished) server and set up the two child nameservers as slaves to your primary.
Effectively "ns1" is your main nameserver as far as the internet is concenered, and as far as BIND or whatever DNS daemon you are running is concerend it is "main"
You can put whatever you want in your SOA area.
>>One more added question. Whether I need to register my primary Name server in APNIC? Because, primary name server wont be published to the external world. Whether its really needed to register this in the APNIC?
No
--
What you should do:
main.yourdomain.com -- main DNS server, unpublished
ns1.yourdomain.com -- your "primary" NS for the SOA/APNIC, but it is truly just the "main slave" in your setup.
ns2.yourdomain.com -- another slave
Set up the zones on the main (unpublished) server and set up the two child nameservers as slaves to your primary.
Effectively "ns1" is your main nameserver as far as the internet is concenered, and as far as BIND or whatever DNS daemon you are running is concerend it is "main"
Last edited by sknake; Sep 16th, 2009 at 5:46 pm.
Thanks scott. Appreciate your valuable time.
If we made the secondary NS(ns1.yourdomain.com) to act as primary NS for the SOA/APNIC, it may confuse a little. We will add the secondary refresh details in the SOA RR. How our new configuration will address this?
If we made the secondary NS(ns1.yourdomain.com) to act as primary NS for the SOA/APNIC, it may confuse a little. We will add the secondary refresh details in the SOA RR. How our new configuration will address this?
Sorry for not explain it in detail.
I am really having some doubts in using this configuration which you suggested.
I made the secondary NS(ns1.yourdomain.com) to act as primary NS for SOA/APNIC as you suggested. Now, I feel the configuration is little confusing for me.
1. Whether the DDNS updates will happen without any problem?
2. How this secondary NS will contact the primary NS for the zone transfer request?
Is this is the only way (legal way) to hide the primary from the external world or this is one of the method. If there are more than one, please share the rest (hope you know the rest).
Cyril.
I am really having some doubts in using this configuration which you suggested.
I made the secondary NS(ns1.yourdomain.com) to act as primary NS for SOA/APNIC as you suggested. Now, I feel the configuration is little confusing for me.
1. Whether the DDNS updates will happen without any problem?
2. How this secondary NS will contact the primary NS for the zone transfer request?
Is this is the only way (legal way) to hide the primary from the external world or this is one of the method. If there are more than one, please share the rest (hope you know the rest).
Cyril.
How familiar are you with running a DNS server, or are you wanting this DNS configuration on public companies? I saw your other post regarding various DNS companies, but not necessarily DNS software.
>>Now, I feel the configuration is little confusing for me.
You're running a non-standard DNS configuration, so it will be a little confusing.
Whether the DDNS updates will happen without any problem?
The DNS servers will update fine, don't worry.
>>How this secondary NS will contact the primary NS for the zone transfer request?
They will use zone-file transfers. When you update the DNS zone on the master then the slave servers will get notified and download the new zone.
>>Is this is the only way (legal way) to hide the primary from the external world or this is one of the method
This is really the only way, and it makes sense.
Let me elaborate on something.
1. You do not register the SOA with APNIC. You register your DNS servers, ie: ns1.domain.com and ns2.domain.com have authority over "domain.com". And oh by the way ns1.domain.com is 1.2.3.4 and ns2.domain.com is 4.3.2.1 (these are called glues)
I even run mis-matched glues on my DNS servers. It was an experiment that I never changed. Look at this:
Notice in the first DNS lookup ns2. was .119, and in the second it was .117? You can even run mis-matched glues with DNS and it works perfectly OK. DNS is a very trusting protocol
>>
Next -- The SOA record is really used by the DNS daemon to initialize zone transfers but not really use for resolving. If I wanted to force my domains to update:
I would bump the red serial# in the above post, and reload the zone files:
This triggered my DNS servers to begin updating:
Because on the master server I had a list of the slave servers to update. You can tell the master server to "push out updates" when the serial# is changed OR you can wait for the slave to periodically poll the master. I chose pushing them out, and you would configure it like:
>>Now, I feel the configuration is little confusing for me.
You're running a non-standard DNS configuration, so it will be a little confusing.
Whether the DDNS updates will happen without any problem?
The DNS servers will update fine, don't worry.
>>How this secondary NS will contact the primary NS for the zone transfer request?
They will use zone-file transfers. When you update the DNS zone on the master then the slave servers will get notified and download the new zone.
>>Is this is the only way (legal way) to hide the primary from the external world or this is one of the method
This is really the only way, and it makes sense.
Let me elaborate on something.
1. You do not register the SOA with APNIC. You register your DNS servers, ie: ns1.domain.com and ns2.domain.com have authority over "domain.com". And oh by the way ns1.domain.com is 1.2.3.4 and ns2.domain.com is 4.3.2.1 (these are called glues)
I even run mis-matched glues on my DNS servers. It was an experiment that I never changed. Look at this:
sk@sk:~$ dig ns1.warche.st @SUNIC.SUNET.SE ; <<>> DiG 9.4.0 <<>> ns1.warche.st @SUNIC.SUNET.SE ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22543 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns1.warche.st. IN A ;; AUTHORITY SECTION: warche.st. 86400 IN NS ns2.warche.st. warche.st. 86400 IN NS ns1.warche.st. These are the glues. The non-authorative DNS server is giving IP addresses for the destination domain. These "glue" DNS and make the protocol work: ;; ADDITIONAL SECTION: ns1.warche.st. 86400 IN A 208.42.233.178 ns2.warche.st. 86400 IN A 72.16.178.117
sk@sk:~$ dig ns1.warche.st @ns2.warche.st
; <<>> DiG 9.4.0 <<>> ns1.warche.st @ns2.warche.st
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6978
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;ns1.warche.st. IN A
;; ANSWER SECTION:
ns1.warche.st. 3600 IN A 208.42.228.219
;; AUTHORITY SECTION:
warche.st. 3600 IN NS ns2.warche.st.
warche.st. 3600 IN NS ns1.warche.st.
warche.st. 3600 IN NS ns3.warche.st.
;; ADDITIONAL SECTION:
ns2.warche.st. 3600 IN A 72.16.178.119
ns3.warche.st. 3600 IN A 208.42.228.219Notice in the first DNS lookup ns2. was .119, and in the second it was .117? You can even run mis-matched glues with DNS and it works perfectly OK. DNS is a very trusting protocol
>>
Next -- The SOA record is really used by the DNS daemon to initialize zone transfers but not really use for resolving. If I wanted to force my domains to update:
$TTL 1H; Default TTL (bind 8 needs this, bind 9 ignores it)
@ IN SOA ns1.warche.st. root.warche.st. (
20041170; serial
30M ; Refresh
300 ; Retry
4W ; Expire
1H ) ; Min TTLI would bump the red serial# in the above post, and reload the zone files:
bash Syntax (Toggle Plain Text)
This triggered my DNS servers to begin updating:
text Syntax (Toggle Plain Text)
Because on the master server I had a list of the slave servers to update. You can tell the master server to "push out updates" when the serial# is changed OR you can wait for the slave to periodically poll the master. I chose pushing them out, and you would configure it like:
text Syntax (Toggle Plain Text)
 |
Similar Threads
- Problem with javascript variable and hidden input (ASP.NET)
- Dell Server PowerEdge 1800 (Networking Hardware Configuration)
- Server Avail check (HTML and CSS)
- Hidden files.. Server not even kissed (Viruses, Spyware and other Nasties)
- Unable to see secondary DNS server in DNS mgr (Windows NT / 2000 / XP)
- SQL server error: 18452 - connection to SQL error (Windows NT / 2000 / XP)
Other Threads in the Domains and DNS Forum
- Previous Thread: google sponsored links issue
- Next Thread: Top 10 DNS servers list
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Domains and DNS Posts
- Today's Posts
- Unanswered Threads
activedirectory apple apps appstore at&t branding business country cybersquatting dns domain domains economy error filter flake function gay google hacker hacking icann internet investment ip iphone kaminsky laptop leopard login macosx microsoft netshare news nullriver nvidia phishing registration sales security securityflaw server. smtp terrorism tiger url verisign vista web windowsserver2008 zone
