Advice needed on creating a stealth / hidden DNS server
Spin
My company has a split-DNS setup and runs some additionally zones as well
(Microsoft AD for internal and BIND for external). Management wants a
"single pane of glass to see a listing of every IP address "on the network"
vice having to go to one of several different zone files on several
different DNS servers to find some host name. My solution (in my head so
far) is this:
Install a fresh DNS server. Make this fresh DNS server a "stealth" DNS
server in that it's existence won't be published to clients (as in client
revolvers)> However, all current DNS zones will be modified to point to
this DNS server as an additional server in it's zone so that they will
"notify" it of zone updates and hence send it information regarding newly
added hosts any administrator adds to any existing zones.
Thoughts?
--
Spin
![Ace Fekay [Microsoft Certified Trainer]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXqqVhI7EaT7_gXkhFKCFQ8nhaZIbo-OzClrbzK6ofJwb4uPA=s40-c)
Ace Fekay [Microsoft Certified Trainer]
Spin <Sp...@invalid.com>, posted the following:
You can make this new DNS server host secondary zones for all of your zones.
If you are using AD integrated zones for all of your zones, choose one of
your DNS servers and configure each zone on that one server to allow zone
transfer to it. On the new server, specify the DNS server you chose to be
the master.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
ace...@mvps.RemoveThisPart.org
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Spin
wrote in message news:%23%23taktJl...@TK2MSFTNGP03.phx.gbl...
> You can make this new DNS server host secondary zones for all of your
> zones. If you are using AD integrated zones for all of your zones, choose
> one of your DNS servers and configure each zone on that one server to
> allow zone transfer to it. On the new server, specify the DNS server you
> chose to be the master.
Ace, should the new server that I build (the "hidden" one) be the Master or
will one of the original servers be Master? My internal zone is
AD-integrated which means all of them are masters.
Ace Fekay [Microsoft Certified Trainer]
> Master or will one of the original servers be Master? My internal
> zone is AD-integrated which means all of them are masters.
Hi Spin,
The new "hidden" one will only host secondary zones. After all, since the
internal zone is AD integrated, there is no way that the new one can be
Master anyway, correct? After all, all DCs that fall in the scope of the
zone's replication scope, follow the multi-master model. Unless of course
you would make it a DC, but I do not think that is your intention?
Ace
Spin
> Hi Spin,
>
> The new "hidden" one will only host secondary zones. After all, since the
> internal zone is AD integrated, there is no way that the new one can be
> Master anyway, correct? After all, all DCs that fall in the scope of the
> zone's replication scope, follow the multi-master model. Unless of course
> you would make it a DC, but I do not think that is your intention?
You are correct, I do not intend to make this "hidden" DNS server a DC, it
will only host Secondary zones. In sum, I should make this "hidden" DNS
server a Secondary/Slave to all others, correct?
Ace Fekay [Microsoft Certified Trainer]
> DC, it will only host Secondary zones. In sum, I should make this
> "hidden" DNS server a Secondary/Slave to all others, correct?
Yes, but not to "all others." Keep in mind, a secondary zone cannot have
multiple masters. Choose only one DC that you want to use as the Master. By
default, zone transfers are not permitted. On that DC alone, go into DNS,
and in each and every zones' properties, allow zone transfers to the new
one.
Ace