This tutorial will explain what stealth nameserver records are
Stealth nameserver records are sent when the authoritative zone file has been delegated to a different pair of nameservers.
e.g, at the registrar, I delegate the following nameservers for myfastdotdomain.com:
ns1.fastdot.com.au ns2.fastdot.com.au
However, when a user queries the nameservers, they inform the user that the zone has been delegated elsewhere under the following nameservers:
ns1.myfastdotdomain.com ns2.myfastdotdomain.com
The user then queries the delegated nameservers for the appropriate records and the lookup is completed.
Additional Information
1. Although Stealth NS records are valid, they can sometimes indicate a problem in your zone configuration.
For example, Stealth NS records can be sent if only 2/3 of your ‘hypothetical’ nameservers are configured at the registry, and all 3/3 nameservers are assigned as authoritative within your zone file; this will cause 1/3 of your nameservers to be sent as a Stealth NS record.
2. Stealth NS records can be created by using the NS Resource Record in your zone-file. Here is an example of how your zone file might look if you had stealth NS records:
At the registrar:
myfastdotdomain.com IN NS ns1.fastdot.com.au myfastdotdomain.com IN NS ns2.fastdot.com.au
In the zone file:
myfastdotdomain.com IN NS ns1.myfastdotdomain.com myfastdotdomain.com IN NS ns2.myfastdotdomain.com
What are Stealth Nameserver Records?
“Stealth nameserver records” refer to a technique used to obscure or hide the actual nameservers associated with a domain. This technique is employed to add an extra layer of security and privacy to the domain’s DNS infrastructure.
In a typical DNS setup, the nameservers associated with a domain are publicly visible and can be queried by anyone. This transparency allows for the resolution of domain names and the mapping of IP addresses. However, it also makes the nameservers susceptible to various types of attacks, such as distributed denial-of-service (DDoS) attacks or direct targeting.
To mitigate these risks, stealth nameserver records can be used. The concept involves configuring a set of “hidden” nameservers that are not publicly listed or easily discoverable. Instead, publicly accessible nameservers act as intermediaries or proxies to forward DNS queries to the hidden nameservers.
The process typically involves the following steps:
1. Creation of hidden nameservers: The hidden nameservers are set up with unique IP addresses that are not associated with the domain and are not publicly known.
2. Configuration of public nameservers: The public nameservers, which are publicly known and listed for the domain, are configured to act as intermediaries. They receive DNS queries from clients and then forward those queries to the hidden nameservers.
3. DNS resolution process: When a DNS query is made for the domain, it is sent to the public nameservers. The public nameservers forward the query to the hidden nameservers, which provide the actual DNS resolution. The response is then relayed back to the client through the public nameservers.
By employing stealth nameserver records, the true identities and IP addresses of the hidden nameservers remain concealed, reducing their exposure to potential attacks. This technique can make it more challenging for attackers to directly target and compromise the domain’s DNS infrastructure.
It’s important to note that stealth nameserver records require careful configuration and management to ensure proper functionality and security. They are typically implemented by domain owners or administrators who prioritize enhanced security and privacy for their DNS infrastructure.
