Re: hidden master and stealth slave
From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 03/20/04
- Next message: Ace Fekay [MVP]: "Re: MX record"
- Previous message: William Stacey [MVP]: "Re: DNS Help"
- In reply to: William Stacey [MVP]: "Re: hidden master and stealth slave"
- Next in thread: William Stacey [MVP]: "Re: hidden master and stealth slave"
- Reply: William Stacey [MVP]: "Re: hidden master and stealth slave"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 20 Mar 2004 12:26:14 -0500
In news:%23WyXCypDEHA.3788@TK2MSFTNGP10.phx.gbl,
William Stacey [MVP] <staceywREMOVE@mvps.org> posted their thoughts, then I
offered mine
>> thanks williams. A real hidden primary
>> means no NS record for the primary on both the primary
>> and secondaries.
>
> Right. AFIK that is the only way you have to configure it. You need
> to delete the primary NS record in the primary zone so the
> secondaries don't get it during xfr.
>
>> In addition, the primary info should not
>> be revealed in the MNAME part of the SOA record.
>
> Can change that to what you want.
>
>> however, is it also doable for AD integrated zones?
>> would DDNS add difficulties to this?
>
> It does and that is why I don't recommend this. It has similar
> issues with using an AD zone for public use - also not recommened for
> similar reasons. You can end up turning off all auto updates from
> Netlogin, DNS, etc, and add all the (ns, soa, etc.) manually and AD
> wont keep changing them, but IMO this is hacking the machine and will
> end up with more issues then you solve. If you have a "need" for this
> with AD, why not setup a forward zone in the public server pointing
> to the primary behind your firewall. I have never seen a need to
> publish private names and IPs to the public side (unless these
> "private" side records are actually public IPs in the DMZ or
> something.)
Just to add, to change/delete the MNAME a (or SOA) that gets regstered in
the nameserver tab, would required a reg entry. I've seen in some cases,
such as that post last week that you and I were helping in, where on a DNS
server with an AD Integrated zone, they were trying to do the same exact
thing, but the system would continue to auto register the name each time
they deleted it. The only way to get around it is either use the reg entry
to stop registration, and then manually create whatever entries you want for
the zone, such as the "exposed" nameservers and not this master name and IP.
But I guess in a perfect BIND world, some BIND folks won't accept this
method. Otherwise, the best to suggest is to create a Primary zone on the
"exposed" nameserer, which would be a physical copy of the zone on the
"hidden" nameserver and manually change the records accordingly.
I agree to keep private/mixed data on separate nameservers, and that
'hacking' the machine is adminstrative overhead.
-- Regards, Ace Please direct all replies to the newsgroup so all can benefit. This posting is provided "AS-IS" with no warranties and confers no rights. Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP Microsoft Windows MVP - Active Directory -- =================================
- Next message: Ace Fekay [MVP]: "Re: MX record"
- Previous message: William Stacey [MVP]: "Re: DNS Help"
- In reply to: William Stacey [MVP]: "Re: hidden master and stealth slave"
- Next in thread: William Stacey [MVP]: "Re: hidden master and stealth slave"
- Reply: William Stacey [MVP]: "Re: hidden master and stealth slave"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
