This is pretty much what I do. I have one server behind a NAT with two views: internal, resolving, has all internal names - external, not resolving, has the master for my zones.
My DNS provider slaves my zones off the master on my LAN, I have not put my master's IP in the zone data, what is in the file is not important. Slaves transfer the zone data, not the file. I just checked and can not find any trace of my IP in the output from the public servers. I can check in my log when the slaves transfer the data, I have not had any case where data ran out, set TTLs high enough. I see a major panic when my ISP gives me a new IP (happens rarely, but has happened), then I need to tell the slaves that a new master is in place, can be done, but must be done right for this provider. On 07/11/13 19.52, Jonathan Reed wrote: > I'd like my global BIND server to slave a copy of my zone from the > master being hosted on my LAN. It appears that this is called a > stealth setup. I figured I'd achieve this by having the secondary on > the internet slave a view, but I've read that this is not ideal from a > security standpoint. The argument being that the zone file contains an > IP address of it's master. So whats the best way to do this? > > A stealth scenario also seems susceptible to a higher chance where the > connection is lost between master and slave (complicated by a LAN > firewall/ISP in between) and the expire exceeding. We're hosting our > global DNS through a provider, so there doesnt seem like an easy way > to monitor and confirm a zone transfer from our master alone. Any > recommendations? > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!"
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
