How to Set up a 'hidden primary' DNS

I just had to guide a friend of mine trough the setup of a ‘hidden primary’ or ‘hidden master’ via mail, so I thought I’d also post a quick summary here to keep my blog alive

First off: A ‘hidden primary’ setup, uses one server for all zone-file changes that isn’t listed anywhere and doesn’t get any queries from clients,  and two or more ‘slaves’ that do the actual work. Have a look at this example zone-file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ORIGIN unixhosts.org.
unixhosts.org.   IN   SOA   amy.unixhosts.org.   hostmaster.unixhosts.org. (
                                         201102111       ; serial
                                         3h              ; refresh
                                         1m              ; retry
                                         1w              ; expire
                                         1m)             ; minimum

 IN              NS              ns.inwx.de.
 IN              NS              ns2.inwx.de.
 IN              NS              ns3.inwx.de.

The host amy.unixhosts.org is my ‘hidden primary’. As you can see, it’s not listed as NS, so it won’t get queries from actual client resolvers. ns[2,3].inwx.de are my name-servers for this zone, configured as slaves.

The ‘hidden primary’ config looks like:

1
2
3
4
5
6
zone "unixhosts.org" {
    type master;
    file "master/unixhosts.org";
    allow-transfer { unixhosts; inwx; };
    also-notify { 10.0.1.1; 10.0.2.1; 10.0.3.1; };
};

Whereas a ‘slave’ config looks like:

1
2
3
4
5
6
zone "unixhosts.org" {
    type slave;
    file "slave/unixhosts.org";
    masters { 10.0.0.1; };
    allow-transfer { clients; };
};

If your Infrastructure isn’t large enough to take responsibility for 3 public DNS servers, you might want to have a look at InterNetworX. I’m running their servers as ‘slaves’ for a few months now. Their support team is great and I haven’t had any issue within years!