A new feature exists in the VitalQIP product that provides great flexibility to DNS administrators in configuring stealth name servers on a zone-by-zone basis. The purpose of this article documents how to configure this feature using the thick client(s), as well as, how to configure it for a large number of zones using SQL. Currently, there doesn't appear to be a CLI that can configure stealth name servers, so we'll demonstrate how this can be done in SQL instead. There should be a CLI created in support of configuring stealth name server configurations.
Performing SQL writes to your VitalQIP database may be harmful. Please ensure that the database is backed up prior to commencing on any SQL updates and/or writes to the database. Netlinx, Inc. makes no warranty on the following SQL sequences documented in this article.
Part I - Configuring Stealth Servers using the GUI
Using your thick client GUI (windows or motif), open a forward or reverse zone from the hierarchy of the current VitalQIP organization. Select the "Primary/Secondary Servers" tab from the domain profile. Suppose we have two name servers ns1 and stealth1 that are master Authoritative nameservers for a fictitous zone, called acme.com. To make stealth1 a hidden master, click on the + icon to "expolode" or expand the options below that server. Three top-level options are displayed at that point:
- Stealth Server - (boolean) defaults to false
- BIND-9.X Options - "Use Zone Value"
- Address - set to the current address of the name server's object address in QIP
To set the server to become a stealth nameserver, set "Stealth Server" to True. At this point, QIP will stop generating NS records for this server, thus making it hidden from the rest of the DNS servers and clients. Note, that this option is set to True, additional lower-level options become available dynamically. Click on the "+" to further exapand these lower-level options. The next option that appears is "Override Server Name in SOA" (boolean) and is set to "false". This option allows us to change the value of the mname field in the SOA record for our acme.com zone. Essentially, this allows us to not only be a hidden master, but we can configure our server to masquerade itself as another name server. If this value is changed to "true", an additional text entry field, "Override Server Name", becomes available for entering the fully-qualified domain name of the DNS server we wish to masquerade as. Once our new server name has been typed into the configuration, click OK to save the profile.
Part II - Configuring Stealth Servers using SQL
In this next section, we will configure one zone with a hidden master named stealth-ns.acme.com to masquerade as ns2.acme.com. Before this can be done, two pieces of information are required. First, we'll need the ID of the zone that we want to perform this on. Remember that the ID of the zone can be either the DOMAIN.DOMN_ID or it can be the REVERSE_ZONES.ZONE_ID. You could get this by:
SELECT domn_id FROM domain WHERE domn_name = 'acme.com'
Once the domain ID has been obtained, the next piece of data we need is the ID of the name server that we are configuring as a stealth server. This can be done by:
SELECT server_id FROM srvrs WHERE server_name = 'stealth-ns' AND group_name = 'DNS'
We now have enough information to build our SQL code to configure stealth-ns as a stealth server to impersonate ns2.acme.com. To perform our configuration, it is assumed that you are logged in to the database as the database owner, 'qipadmin'. Use the following SQL to perform the desired configuration assuming our zone_id = 121 and our server_id = 4:
UPDATE zoneopt_values SET value = 'True' WHERE owner = 121 AND owner2 = 4 AND owner_type = 48 AND parm_id = 2291 Then... INSERT INTO zoneopt_values VALUES (121,4,48,2292,'True',0,NULL) INSERT INTO zoneopt_values VALUES (121,4,48,2293,'ns3.acme.com.',0,NULL) INSERT INTO srvr_zone_options VALUES (121,60,4,2291,0,'Stealth Server','True',NULL,0) INSERT INTO srvr_zone_options VALUES (121,60,4,2292,0,'Override Server Name in SOA','True',NULL,0) INSERT INTO srvr_zone_options VALUES (121,60,4,2293,0,'Override Server Name','ns2.acme.com.',NULL,1)
I noted that some of these fields will be dynamically inserted into the database when you use the GUI to expose the various settings, so, it is recommended that you remove rows from both the the zoneopt_values and srvr_zone_options tables that match the zone_id you are going to configure. By doing that, you can then do straight INSERTS without having to worry about duplicate key constraint errors.