Hiding master name servers

From: Mickey S. Olsberg (molsberg@hotmail.com)
Date: 02/15/02

From: "Mickey S. Olsberg" <molsberg@hotmail.com>
To: <security-basics@securityfocus.com>
Date: Fri, 15 Feb 2002 14:10:19 -0700

Hello all!

An idea I have been toying with, and one I unfortunately cannot test in
my lab, is a DNS design where the primary or master name server outside
of my security perimeter is not advertised. Given the fact that my
secondaries are also my firewalls I am trying to force anyone attempting
to "hack" DNS to do it to the most secure boxes I have, or at least the
ones that keep the best logs. The "World" would only see NS and SOA
records pointing to my slave name servers, while my primary is
restricted to doing TCP 53 zone xfers to those secondaries with no
queries allowed. I know that zone xfers don't check to see if the master
is actually the master, but would the master care if his own zone files
don't show him as authoritative? Any other gotchas that anyone can think
of in this scenario?

By the way, policy prohibits the master from residing on the firewalls,
so I am stuck with this. All boxes are running BIND 8.2.2 or something
compatible to it.


Relevant Pages

  • Re: SMB Browser Election Thread (Was: Case for an occasional system refresh or clean install)
    ... My Samba experiences are quite old, ... master, and it usually always would be (could be messed up if I ever had ... someone bring a Windows 2000 server to the LAN). ... ## Tim: I am the master... ...
  • Re: Taking over Operations Master / DC roles
    ... > that with the exception of the Single Master Roles." ... my gameplan is to get the server updated and all info copied... ... Get the DNS setup and all my other odds and ends to the point that they are ... >> mapped install directory, and a time server. ...
  • Re: Get Segmentation Fault when Building Sybase
    ... Doing ldd on the dataserver executable reveals that linux-gate is being used on 32 bit systems for system calls, but not on 64 bit, so any dodgy calls would be handled better on the 64 bit system. ... Building Adaptive Server 'LOCALHOST': ... Building master device... ... No external security mechanisms will be supported. ...
  • Re: Disaster Recovery Plan
    ... preferable to restoring a master tape, ... Server and a HP tape drive. ... Attend a course taught by an expert instructor with years of in-the-field ...
  • Re: PCs not seeing each other
    ... MARK-X60S can ping MARK but MARK can not ping MARK-X60S ... Net config server ... Master browser name is: MARK-X60S ... There are 1 servers in domain ANY on transport ...