ALINK="#FF0000">

(?) Re: Hidden master DNS

From Mike Orr

Answered By Dan Wilder

(?) How do you do the hidden master trick for DNS? In my case, my computer is the real master and my friend runs two secondaries. However, the registrar lists only his servers. Is that all that's needed to make his secondary appear to be the master from the public's perspective, or do I have to do something else too?

(!) [Dan] First bear in mind that "master" and "slave", a relationship between servers, has nothing whatever to do with "primary" and "secondary", an arbitrary ordering of servers on a list your registrar maintains for you. Many sysadmins confuse the two, partly because similar terms are sometimes used, and much grief results.
1) List any servers you think will serve your domain with your registrar, in any order you please.
2) Set up any relationship you want between your DNS servers. The master/slave relationship is established (when using BIND) in the named.conf stanzas. For the master:
zone    "mydomain.com" {
        type master;
        file    "mydomain.com";
};
and put the "mydomain.com" zone file where the server expects to find it.
For a slave:
zone    "mydomain.com" {
        type slave;
        masters { xxx.xxx.xxx.xxx; };
        file    "mydomain.com";
};
the slave will download mydomain.com from the master.
About "hidden":
You don't have to list the actual master server at all. It is sufficient that the listed servers know the IP address of the actual master. The registrar doesn't need this information. Then it's a "hidden master".
Somewhat related to this is so-called "split DNS". Use this when you have a firewalled network containing hosts known internally as a part of your domain, but which are not visible outside.
Set up a master DNS server inside and point all your hosts at it. In the "options" section:
options {
...
notify no;
allow-transfer { none; };
forward only;
        forwarders {
        xxx.xxx.xxx.xxx;
        xxx.xxx.xxx.xxx;
        xxx.xxx.xxx.xxx;
        };
};
which turns off notification to anybody, allows nobody to get a copy of locally maintained zone files, and specifies a few nameservers, typically those of your ISP, as the places to query for domains the server doesn't consider itself definitive for.
Then, for your own domain, a stanza that says:
zone "mydomain.com." IN {
        type master;
        file "mydomain.com";
};
and the "mydomain.com" zone file contains records for internal hosts, plus all external hosts listed in the mydomain.com zone file in the outside nameserver.

(?) All my domains are "master" in my /etc/bind/bind.conf. My friend has who-knows-what settings to download my information to his secondary servers. I'm not sure whether the records appear as "master" or "slave" on his server. I want his first secondary server (the one listed first at the registrar) to appear authoritative to the public, so that the public won't be querying my server. Does he have to do anything else? I asked him, but he said he thought hidden master was something I set at my end.

(!) [Dan] Nope.
"Hidden" is set at the registrar. That is, you don't register your server. That makes it hidden.
Your server has to consider itself "master" but that's already set up.
If you want your hidden master to actually control anything, your friend has to set the stanza for your domain in his named.conf file to "slave" with the ip of your machine in the "masters" keyword in the stanza. That's what makes your server a "master".
Or else he has to set his stanza to "master", and you have to send him a copy of your zone file every time you change it, and he has to put it in place. But then your machine isn't a "hidden master".
If the transfer happens on a timely basis, nobody outside cares how the zone file gets to his machine. If he'll cooperate it saves work on your part and on his.

(?) He's already set up to automatically pull the data from my server; that was set up years ago. I guess that means he's a "slave". But I thought "secondary" was the term for that, and that his record would tell the public to go to my server for the authoritative source, but I guess that's not the case.

(!) [Dan] No. That's the confusion due to similar terms being used in the same context for different things, that I've been fighting off and on about with slightly underqualified sysadmins who don't realize the extent of their underqualification, for years.
"Primary" and "Secondary" should be used to denote a matter of public record, the nameservers listed with a registrar for a domain. They should never be used to denote the private relationship between servers, of which the registrar knows nothing.
"Master" and "Slave" should be used to denote a privately arranged relationship between servers configured to furnish DNS information about a particular domain. This has nothing to do with the matter of public record mentioned previously.


Copyright © 2003
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 90 of Linux Gazette, May 2003
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/


[ Table Of Contents ][ Answer Guy Current Index ] greetings   Meet the Gang   1   2 [ Index of Past Answers ]