<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 17, 2019 at 11:54 AM Mike <<a href="mailto:mike%2Blists@yourtownonline.com">mike+lists@yourtownonline.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> I have a working hidden (super)master / slave arrangement where the<br>
slaves learn about their zones from the supermaster and axfr. This works<br>
as expected. I was thinking however that it might be an extra bit of<br>
hardening if I could protect certain things, such as zone transfers and<br>
slave SOA checks, with a vpn. I know that tsig will protect zone<br>
transfers, but for confidentiallity across untrusted networks the vpn<br>
would be perfect. Also, SOA checks themselves have no confidentiallity<br>
or integrity, so spoofed UDP can be injected here too. Maybe not the<br>
biggest fire, but just thinking what can be done here....<br>
<br>
Ideally, what I'd want is for the hidden master and the slaves all<br>
to have a vpn between them, with the master and slaves having a shared<br>
private internal ip address range between them. This is easy to do with<br>
OpenVPN. The missing part seems to be the ability to explicitly state<br>
which source ip the master will use to notify the slaves. May it's a<br>
different source IP per slave, in some setups. It would further be nice<br>
to tell the server to not even bother sending notifies to the NS records<br>
of the zone and instead using only an explicit notify list, also<br>
possibly per zone.<br></blockquote><div></div><div><div><br></div><div>My setup is similar. I've configured the slaves with the setting</div><div> allow-notify-from=<master IP(s) (subnet)></div><div><br></div><div>And the master with</div><div> only-notify=<private IP subnet></div><div> allow-axfr-ips=<master IP(s)></div><div> also-notify=<slave IPs on private IP subnet><br></div><div><br></div><div>Sending
packets to an IP that is local to the host (e.g. OpenVPN tunnel device)
should happen with the source address on that interface by default and you should not need any routing fu.</div><div>This won't really allow you to set it per zone, though.</div></div><div><br></div><div>HTH <br></div></div></div>