This site requires JavaScript for navigation. Please enable JavaScript for the best learning experience.

"Hidden master" is the term given to describe a special DNS configuration that protects the master DNS server from attack. This configuration conflicts with the expected standard configuration and registration process, and will often confuse most inexperienced DNS administrators. As if this weren't enough, it relies on both an Internet connection, a carefully configured DNS server AND a properly configured firewall. There is a lot that can go wrong with this configuration most of which has nothing to do whith the DNS server itself. Once any DNS problems start, it is nearly impossible to determine the real cause.

For ALL of these reasons, hidden master DNS configurations are often not supported by Internet Service Providers who provide DNS services, and you should think long and hard before setting it up yourself.

A hidden master is a DNS server placed behind a firewall that is not listed at the registrar or the root DNS servers. This server is the primary authoritative server, which means it contains a complete zone file for a given domain stored in it's configuration files. This master is not registered at the InterNIC or any other registrar, and the firewall is configured so that only one or two other machines can reach it using DNS

Protected by the firewall, your domain's Authoritative DNS server is not immune to attack but because it is not publicly listed it is more likely that the slave DNS servers will be attacked. Combining hidden master with the use of your ISP's DNS servers as your secondaries creates a more defensible DNS configuration. Your ISP can better deal with DoS attacks, hacking attempts and is more likely to spot cache corruption and other problems. Your ISP's servers configured as slave (secondary) DNS servers will transfer your domain's zone file to itself from the hidden master just as a secondary DNS server should normally do.

To reiterate; the oddity in this setup is that the primary authoritative server is not registered at the DNS root (InterNIC). Rather, the secondary servers are listed. In this way, the secondary servers are available for resolution, but if they are hacked, the damage that can be done is limited.

Bookmark this page and SHARE:  


Support InetDaemon.Com

Get Tutorials in your INBOX!

Free Training