On 2/15/22 09:06, Andrew Baker via bind-users wrote:
Dear List,
We are based in the middle east and manage a lot of domains across a
lot of tld’s including regional ones. Not all registrars are equal and
the DNS services of several weren’t offering what we required. For a
number of operational and political reasons, it was decided to setup a
distributed public DNS for our domains that we managed. It was an
interesting project as it’s the first time we’ve used bind in anger.
We now have a master and two slave DNS servers in two of our DC’s in
the region and have additional slaves outside the region to provide DR
resilience for around 40% of our domains that are actually active.
Everything is running smoothly now, and I’d like to take one final
step to make the master DNS hidden and leave the slaves to handle all
the requests.
I can see two possible ways of doing this….
1. Configure the “allow queries from” to just the slave servers
2. Setup rules on our external firewall to block requests from
anything other than the slave servers
I'd take the masters off the registrar NS list, and just leave the slaves.
DNS queries won't be sent to name servers that aren't listed as
authoritative for the zone.
In the background, the master will still control the zones and notify
the slaves of any record changes.
I suppose you can add a firewall rule on the masters to block unwanted
requests, but I try to make things as complicated as possible, and no
more so.
Mark.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users