7

In a typical hidden-master DNS network layout, there are basically two components:

  • Hidden master DNS server, may be behind a NAT or firewall, or be totally exposed
  • Slave authoritative non-recursive DNS server(s)

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server. But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

While at first, those required server and allow-update seem to require an IP address match list. This leaves the named.conf as the primary source of such stealth information (i.e. the IP address of the hidden-master).

Can such exposure of the IP address to the hidden-master DNS server be further limited by using keys instead and not using any IP address in the named.conf file?

The key answer I’m looking for is whether or not we can minimize exposure of hidden-master at the level of its configuration file as well as in zone databases.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
John Greene
  • 799
  • 7
  • 28
  • 1
    If my answer is correct and complete, can you accept it as such? Otherwise, let's have a chat on how I can improve on my answer. – Tommiie Nov 12 '18 at 13:48

1 Answers1

8

Zone files on slave DNS servers often do not (and should not) have information to this hidden master DNS server.

They can have A records in their zone files to point to this hidden DNS master server. The server is called "hidden" not because no one can ever know about it, but because it's not listed anywhere using NS records so clients can't query them.

Edit: there is no point in trying to avoid all references to this hidden master from your configuration file. Once someone has access to this file, it assumes they have access to your server anyway and then that sounds like a bigger problem than them knowing the IP address of your hidden master.

But these same slave DNS servers do require the use of certain DNS options like server, allow-update, allow-transfer, and some ACLs.

The slave DNS servers do indeed need to know about the existence of the hidden DNS server. It's possible to define masters using only keys and then refer to those masters in the allow-notify etc statements. That way you do not need to specify the IP address of the hidden master server.

The server statement looks like this:

server <netprefix> {
   ...
};

Thus it requires the IP address of the hidden master.

It seems however that statements like allow-update, allow-transfer etc require an address_match_list which (BIND 9.11.4-P1 documentation, p. 51):

(...) is a list of one or more ip_addr, ip_prefix, key_id, or acl_name elements, see section 6.1.

So you can enter only keys in these commands, excluding the IP address of your hidden master from those parts of the configuration.

Tommiie
  • 5,547
  • 2
  • 11
  • 45
  • Will we be able to avoid the use of IP address in`servers` option by using key(s) (for a match-list)? – John Greene Oct 19 '18 at 12:07
  • Key answer I’m looking for is whether or not we can minimize exposure at configuration file as well as in zone databases. – John Greene Oct 19 '18 at 12:13
  • 1
    Why are you so panicky about putting the IP address of your hidden master in the configuration file of your slaves? I'll try to find an answer but I don't really understand your fear for putting in that IP address. – Tommiie Oct 19 '18 at 13:38
  • 1
    @EgbertS: I've edited the last paragraph of my answer. Does this better answer your question? – Tommiie Oct 19 '18 at 13:45
  • And as to the ‘servers’ option, can one use key in place of an IP or do without `servers` option ? – John Greene Oct 19 '18 at 19:57
  • 2
    Updated my answer once more. – Tommiie Oct 23 '18 at 12:55
  • That's what I have learned. I wrote a bash script to update the `masters list`, `forwarders`, and `acl`. It was too easy to let dhclient's `/etc/dhcp/dhclient-enter.d/0-bind-ip-public-update` to do that. – John Greene Oct 23 '18 at 15:49
  • In not so many words, it is not possible to hide the hidden master's IP address from the public slave nameserver(s)' configuration. You can hide it from the slave nameserver(s)' zone data file, but not its configuration file. – John Greene Oct 23 '18 at 15:50
  • Just a very long shot, `server 0.0.0.0 { ... };` for a blanket coverage? – John Greene Oct 23 '18 at 15:53
  • But why are you so keen on keeping the IP address of the hidden master out of your configuration file which isn't visible to anyone anyway? – Tommiie Oct 23 '18 at 20:43
  • I would like permission to update question to reflect better listing of bind9 options by master and by slave; and what is IP-address only and what is address_match_list-able. – John Greene Nov 17 '18 at 19:29
  • Feel free to update the question. But perhaps clearly mark your update. If need be, I’ll try to update my answer as well. – Tommiie Nov 17 '18 at 19:30
  • As long as Bind9 default settings of **server** clause on the slave’s named.conf can works with its master nameserver’s default **server** clause settings , this slave’s clause can be omitted thereby making the approach of using this key-based match a reality. – John Greene Jun 19 '21 at 16:50
  • @JohnGreene: I really do not understand what you are trying to say here. Sorry. – Tommiie Jun 24 '21 at 07:43