Hello all! An idea I have been toying with, and one I unfortunately cannot test in my lab, is a DNS design where the primary or master name server outside of my security perimeter is not advertised. Given the fact that my secondaries are also my firewalls I am trying to force anyone attempting to "hack" DNS to do it to the most secure boxes I have, or at least the ones that keep the best logs. The "World" would only see NS and SOA records pointing to my slave name servers, while my primary is restricted to doing TCP 53 zone xfers to those secondaries with no queries allowed. I know that zone xfers don't check to see if the master is actually the master, but would the master care if his own zone files don't show him as authoritative? Any other gotchas that anyone can think of in this scenario?
By the way, policy prohibits the master from residing on the firewalls, so I am stuck with this. All boxes are running BIND 8.2.2 or something compatible to it. Mickey
