Exposure of hidden-master stealth DNS server on public-facing authoritative slave

domain-name-system dns-hosting bind internal-dns

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.

They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.

Edit: there is no point in trying to avoid all references to this hidden master from your configuration file. Once someone has access to this file, it assumes they have access to your server anyway and then that sounds like a bigger problem than them knowing the IP address of your hidden master.

But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.

The server statement looks like this:

server <netprefix> {
   ...
};

Thus it requires the IP address of the hidden master.

It seems however that statements like allow-update, allow-transfer etc require an address_match_list which (BIND 9.11.4-P1 documentation, p. 51):

(...) is a list of one or more ip_addr, ip_prefix, key_id, or acl_name elements, see section 6.1.

So you can enter only keys in these commands, excluding the IP address of your hidden master from those parts of the configuration.

Related

How to append free space from LVM volume?
Why is the pricing of my GCP instance going down every week and comes back up at the beginning of each month?
How to write a sparse Linux (EXT4) disk image without writing gigabytes of zeros?
Can I connect a servers from Hetzner cloud to a vswitch
How does Linux allocate bandwidth between processes?
How can I monitor CPU usage and processes on Windows Server 2012 as a service over a 24 hour period?
Differential Hyper-V backups with max file limit [closed]
How to Handle Sudden Burst in New HTTPS Connections?
Must not run with sudo while trying to create a runner using github-actions
How do you track and debug mySQL performance issues?
How can I backup an SQL server (2000 and 2005) database?
Maintenance plan for SQL Server Database Mirroring