A
a bind guy
does w2k or w2k3 dns support these features or are they
capable of doing these
capable of doing these
A
Ace Fekay [MVP]
In
These are not features, but rather how you would configure your servers.
You can create a Primary zone on one machine, then have a secondary and just
register the secondaries with your ISP, if that's what you're looking to do.
The Primary zone on that machine would be the 'hidden' master. The server
hosting the Secondary zone would be the "stealth" slave. Your firewall rules
will of course only allow access to the "slave".
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
a bind guy said:
These are not features, but rather how you would configure your servers.
You can create a Primary zone on one machine, then have a secondary and just
register the secondaries with your ISP, if that's what you're looking to do.
The Primary zone on that machine would be the 'hidden' master. The server
hosting the Secondary zone would be the "stealth" slave. Your firewall rules
will of course only allow access to the "slave".
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
A
a bind guy
thanks Ace for trying, but what you described is not what
the well known concepts about on the other side of the
DNS world.
basically the issue boils down to whether Windows DNS can
host zones that have unlisted but authoritative name
servers.
the hidden master can be used for security and other
reasons; the stealth slave can be a very interesting
concept for the MS world, as normally a great number of
servers exist in a zone of MS implementation -- a
possible problem for NOTIFY.
the well known concepts about on the other side of the
DNS world.
basically the issue boils down to whether Windows DNS can
host zones that have unlisted but authoritative name
servers.
the hidden master can be used for security and other
reasons; the stealth slave can be a very interesting
concept for the MS world, as normally a great number of
servers exist in a zone of MS implementation -- a
possible problem for NOTIFY.
W
William Stacey [MVP]
basically the issue boils down to whether Windows DNS can
And it can (just like Bind). Why do you think it can not? A hidden primary
only means you don't have the NS record for the primary on the secondaries
(so it is "hidden"). The xfrs still work as the secondary just needs the IP
of the primary.
Yes. But as we said, you can do this today. Have you tried it and it is
not working for you? Please post what your seeing and what your config is.
Are you trying to do this with an AD zone? If so, that can have issues and
would not recommend it - however, even that can still be done.
And it can (just like Bind). Why do you think it can not? A hidden primary
only means you don't have the NS record for the primary on the secondaries
(so it is "hidden"). The xfrs still work as the secondary just needs the IP
of the primary.
Yes. But as we said, you can do this today. Have you tried it and it is
not working for you? Please post what your seeing and what your config is.
Are you trying to do this with an AD zone? If so, that can have issues and
would not recommend it - however, even that can still be done.
T
the bind guy
thanks williams. A real hidden primary
means no NS record for the primary on both the primary
and secondaries. In addition, the primary info should not
be revealed in the MNAME part of the SOA record.
that can be done easily in the case of standard primary
and secondries, as you just said.
however, is it also doable for AD integrated zones?
would DDNS add difficulties to this?
means no NS record for the primary on both the primary
and secondaries. In addition, the primary info should not
be revealed in the MNAME part of the SOA record.
that can be done easily in the case of standard primary
and secondries, as you just said.
however, is it also doable for AD integrated zones?
would DDNS add difficulties to this?
K
Kevin D. Goodknecht [MVP]
In
will show the master nameserver as the machine name it is on.
A true hidden master will show one of the secondary servers as the master,
even though they are secondary of the hidden master.
Hidden masters and their secondary servers must also support notify. Since
the secondary servers don't have a record for the master, the master must be
capable of notifying the secondary to do a zone transfer.
You couldn't use AD integrated for a true hidden master, AD integrated zonesthe bind guy said:
will show the master nameserver as the machine name it is on.
A true hidden master will show one of the secondary servers as the master,
even though they are secondary of the hidden master.
Hidden masters and their secondary servers must also support notify. Since
the secondary servers don't have a record for the master, the master must be
capable of notifying the secondary to do a zone transfer.
A
Ace Fekay [MVP]
In
The "other" side?
Hmm... so you're saying I'm in the dark?
I see...
Maybe you're doing something wrong configuring it?
As William asked, post what you're doing and what you're seeing that is
making YOU come to the conclusion that MS DNS doesn't support this.
Let's see what you;re talking about. MS DNS is fine for the most part. The
only major thing different is "views" but that leads to mixing private and
public data on the same box, and as you seem to be a person of security
conscience, I'm sure you wouldn't want to mix private and public data on the
same machine anyway.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
a bind guy said:
The "other" side?
Hmm... so you're saying I'm in the dark?
I see...
Maybe you're doing something wrong configuring it?
As William asked, post what you're doing and what you're seeing that is
making YOU come to the conclusion that MS DNS doesn't support this.
Let's see what you;re talking about. MS DNS is fine for the most part. The
only major thing different is "views" but that leads to mixing private and
public data on the same box, and as you seem to be a person of security
conscience, I'm sure you wouldn't want to mix private and public data on the
same machine anyway.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
W
William Stacey [MVP]
Right. AFIK that is the only way you have to configure it. You need to
delete the primary NS record in the primary zone so the secondaries don't
get it during xfr.
Can change that to what you want.
It does and that is why I don't recommend this. It has similar issues with
using an AD zone for public use - also not recommened for similar reasons.
You can end up turning off all auto updates from Netlogin, DNS, etc, and add
all the (ns, soa, etc.) manually and AD wont keep changing them, but IMO
this is hacking the machine and will end up with more issues then you solve.
If you have a "need" for this with AD, why not setup a forward zone in the
public server pointing to the primary behind your firewall. I have never
seen a need to publish private names and IPs to the public side (unless
these "private" side records are actually public IPs in the DMZ or
something.)
W
William Stacey [MVP]
A true hidden master will show one of the secondary servers as the master,
Thanks Kevin. Just thinking...(ouch, ouch)... Not real sure the mname
even matters at that point. A client would only need a good mname to do an
update. I think this is true...would like to know any other need for it in
this case. Not sure it even needs to be resolvable.
May I ask why?
I think the secondaries just need to be able to do AXFR or IXFR using the
time tested methods of XFR. Notify would be optional I ~think. Let me know
if this is not the case.
Thanks Kevin. Cheers!
Thanks Kevin. Just thinking...(ouch, ouch)... Not real sure the mname
even matters at that point. A client would only need a good mname to do an
update. I think this is true...would like to know any other need for it in
this case. Not sure it even needs to be resolvable.
May I ask why?
I think the secondaries just need to be able to do AXFR or IXFR using the
time tested methods of XFR. Notify would be optional I ~think. Let me know
if this is not the case.
Thanks Kevin. Cheers!
A
Ace Fekay [MVP]
In
Just to add, to change/delete the MNAME a (or SOA) that gets regstered in
the nameserver tab, would required a reg entry. I've seen in some cases,
such as that post last week that you and I were helping in, where on a DNS
server with an AD Integrated zone, they were trying to do the same exact
thing, but the system would continue to auto register the name each time
they deleted it. The only way to get around it is either use the reg entry
to stop registration, and then manually create whatever entries you want for
the zone, such as the "exposed" nameservers and not this master name and IP.
But I guess in a perfect BIND world, some BIND folks won't accept this
method. Otherwise, the best to suggest is to create a Primary zone on the
"exposed" nameserer, which would be a physical copy of the zone on the
"hidden" nameserver and manually change the records accordingly.
I agree to keep private/mixed data on separate nameservers, and that
'hacking' the machine is adminstrative overhead.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
William Stacey said:
Just to add, to change/delete the MNAME a (or SOA) that gets regstered in
the nameserver tab, would required a reg entry. I've seen in some cases,
such as that post last week that you and I were helping in, where on a DNS
server with an AD Integrated zone, they were trying to do the same exact
thing, but the system would continue to auto register the name each time
they deleted it. The only way to get around it is either use the reg entry
to stop registration, and then manually create whatever entries you want for
the zone, such as the "exposed" nameservers and not this master name and IP.
But I guess in a perfect BIND world, some BIND folks won't accept this
method. Otherwise, the best to suggest is to create a Primary zone on the
"exposed" nameserer, which would be a physical copy of the zone on the
"hidden" nameserver and manually change the records accordingly.
I agree to keep private/mixed data on separate nameservers, and that
'hacking' the machine is adminstrative overhead.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
K
Kevin D. Goodknecht [MVP]
In
Secondary servers have two ways of getting zone updates.
1. using the MNAME record to connect to the primary name server. Problem is
in a hidden master scenario the MNAME record points to a secondary zone.
There are no records that actually point to the primary master.
2. The actual master server can notify the secondary servers to update their
records.
Hidden masters are exactly that, hidden, only the secondary servers can
connect to them but it is up to the hidden master to notify the secondary
servers to do a zone transfer. If the hidden master is on the SOA as the
primary name server then it is not a true hidden master.
I use a hidden master myself, there are no records for the primary, even the
SOA does not reflect the name of the master nameserver. I use the notify
option to notify the Secondry nameservers to do a zone transfer.
Without using notify, then you must use the master as Primary on the SOA.
William Stacey said:
Secondary servers have two ways of getting zone updates.
1. using the MNAME record to connect to the primary name server. Problem is
in a hidden master scenario the MNAME record points to a secondary zone.
There are no records that actually point to the primary master.
2. The actual master server can notify the secondary servers to update their
records.
Hidden masters are exactly that, hidden, only the secondary servers can
connect to them but it is up to the hidden master to notify the secondary
servers to do a zone transfer. If the hidden master is on the SOA as the
primary name server then it is not a true hidden master.
I use a hidden master myself, there are no records for the primary, even the
SOA does not reflect the name of the master nameserver. I use the notify
option to notify the Secondry nameservers to do a zone transfer.
Without using notify, then you must use the master as Primary on the SOA.
W
William Stacey [MVP]
1. using the MNAME record to connect to the primary name server. Problem
is
Agree with the notify part. The mname part is, AFAICT, is not 100%
accurate. The primary IP of the master (from the secondary zone) is not
zone data, it is stored in Bind and w2k as external metadata. For example
on bind it looks like:
zone "site2.example.com" {
type slave;
file "s/site2.example.com";
masters { 172.16.72.3; }; // <= Master IP not stored in zone data.
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};
W2k (by default) stores this data in the registry for std secondaries. The
MName could be a fony name that does not even resolve. I have tested this
between two w2k dns servers without issue. Not to say there would not be
other issues with this (not sure), just that the XFR mechanics do not rely
on the mname to contact the primary. Find this on w2k using dnscmd
/zoneinfo or the gui. Cheers!
is
Agree with the notify part. The mname part is, AFAICT, is not 100%
accurate. The primary IP of the master (from the secondary zone) is not
zone data, it is stored in Bind and w2k as external metadata. For example
on bind it looks like:
zone "site2.example.com" {
type slave;
file "s/site2.example.com";
masters { 172.16.72.3; }; // <= Master IP not stored in zone data.
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};
W2k (by default) stores this data in the registry for std secondaries. The
MName could be a fony name that does not even resolve. I have tested this
between two w2k dns servers without issue. Not to say there would not be
other issues with this (not sure), just that the XFR mechanics do not rely
on the mname to contact the primary. Find this on w2k using dnscmd
/zoneinfo or the gui. Cheers!
W
William Stacey [MVP]
Just to add, to change/delete the MNAME a (or SOA) that gets regstered in
For non-AD zones, as you know, you can change the mname using the soa tab.
For non-AD zones, as you know, you can change the mname using the soa tab.
T
the bind guy
Thank you Ace for coming back...
Actually I meant you were on the greener side...
More on DDNS when suing AD integrated zones..not
configured anything yet, just trying to see what the
belove MS DNS can do...
BIND users are still with 8. Look, we are talking hidden
master and stealth slave, and you start to attack
views..;-)
Actually I meant you were on the greener side...
More on DDNS when suing AD integrated zones..not
configured anything yet, just trying to see what the
belove MS DNS can do...
Views are available on BIND 9 and I think the majority of
BIND users are still with 8. Look, we are talking hidden
master and stealth slave, and you start to attack
views..;-)
A
a bind guy
Both of the above two are not true. the secondries have
to know the IP of the primary to do xfr, and xfrs have to
be intiated by the secondaries, even with NOTIFY.
cannot agree with this. You can put anything you want
there, unless using DDNS.
W
William Stacey [MVP]
Actually I meant you were on the greener side...
Nothing is farther from the truth bind guy (??) . Ace is one of top people
you will find on w2k dns and/or AD issues.
Do you still have a question on this. I think we pointed out you can have a
hidden primary using w2k.
Nothing is farther from the truth bind guy (??) . Ace is one of top people
you will find on w2k dns and/or AD issues.
Do you still have a question on this. I think we pointed out you can have a
hidden primary using w2k.
A
a bind guy
yeah thanks William. We all learn things through this
kind of discussions. I appreciate everyone's input.
I was thinking a scenario that in a small scope I have
servers for apps, and then with a large environment I
have many users. I'd like to use AD integrated DDNS with
hidden masters for security and simplicity, and then on
the user enviroment to use the standard secondaries, to
provide the DNS services. This could be for an ASP or
just internal side of an enterprise env....
It seems, based on the discussion so far, that using AD
intergrated with DDNS, this kind of implementation does
have some difficulties, right?
kind of discussions. I appreciate everyone's input.
I was thinking a scenario that in a small scope I have
servers for apps, and then with a large environment I
have many users. I'd like to use AD integrated DDNS with
hidden masters for security and simplicity, and then on
the user enviroment to use the standard secondaries, to
provide the DNS services. This could be for an ASP or
just internal side of an enterprise env....
It seems, based on the discussion so far, that using AD
intergrated with DDNS, this kind of implementation does
have some difficulties, right?
A
Ace Fekay [MVP]
In
I believe the point of the whole thing is that you want to hide the master.
With a Primary zone or AD Integrated zone, they will self-register their
nameserver names in the nameserver tab, which effectively winds up being the
SOA and the MNAME to a secondary, As I mentioned earlier, you could force it
not to register with a reg entry. Then manually enter your other two
nameserver names. and just allow zone transfers to those boxes.
The other method I guess would be to manually create a shadow copy of the
zone eliminating these reg entries, but then you would need to manually
update it when things change.
I know that's not what you wanted to hear...
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
a bind guy said:
I believe the point of the whole thing is that you want to hide the master.
With a Primary zone or AD Integrated zone, they will self-register their
nameserver names in the nameserver tab, which effectively winds up being the
SOA and the MNAME to a secondary, As I mentioned earlier, you could force it
not to register with a reg entry. Then manually enter your other two
nameserver names. and just allow zone transfers to those boxes.
The other method I guess would be to manually create a shadow copy of the
zone eliminating these reg entries, but then you would need to manually
update it when things change.
I know that's not what you wanted to hear...
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
A
Ace Fekay [MVP]
In
Thanks for the plug William!
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
William Stacey said:
Thanks for the plug William!
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
A
Ace Fekay [MVP]
In
Unfortunately, yes. As my old real estate agent said when we bought the
house, we need to do a little creative financing to get it... same here with
MS DNS, need to think a bit creatively with MS DNS....
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
a bind guy said:
Unfortunately, yes. As my old real estate agent said when we bought the
house, we need to do a little creative financing to get it... same here with
MS DNS, need to think a bit creatively with MS DNS....
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory