Thanks for the quick response and confirmation Ondřej You have helped take my paranoia levels down at least one notch!
Andy Baker From: Ondřej Surý <ond...@isc.org> Sent: Tuesday, February 15, 2022 10:12 AM To: Andrew Baker <a.ba...@salaminternational.com> Cc: bind-users@lists.isc.org Subject: Re: Setup a hidden master Hi, do both, or at least the firewall. But you absolutely must remove the hidden primary from the list of NS both in the parent and child zones. That’s the most important thing to do. Start with that, the rest is just additional layers. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 15. 2. 2022, at 8:06, Andrew Baker via bind-users <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> wrote: Dear List, We are based in the middle east and manage a lot of domains across a lot of tld’s including regional ones. Not all registrars are equal and the DNS services of several weren’t offering what we required. For a number of operational and political reasons, it was decided to setup a distributed public DNS for our domains that we managed. It was an interesting project as it’s the first time we’ve used bind in anger. We now have a master and two slave DNS servers in two of our DC’s in the region and have additional slaves outside the region to provide DR resilience for around 40% of our domains that are actually active. Everything is running smoothly now, and I’d like to take one final step to make the master DNS hidden and leave the slaves to handle all the requests. I can see two possible ways of doing this…. 1. Configure the “allow queries from” to just the slave servers 2. Setup rules on our external firewall to block requests from anything other than the slave servers Which of the above is the better option, should I do both or is there something else I should be doing instead of/as well? My other question relates to the domain registrars. Once I “hide” the master server, do I also need to remove it from the list of name servers for the domain on the registrar’s sites or is it ok to leave it even though it can’t be queried? Thanks in advance Andy Baker -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
