Support Library
Hidden Primary Design Patterns
A non-public primary manages writes while public secondaries answer internet queries.
Short Description
A non-public primary manages writes while public secondaries answer internet queries.
Why This Matters
This reduces attack surface on the source-of-truth management plane.
How It Happens
Secondaries pull AXFR/IXFR from restricted primaries with strict transfer ACLs.
How to Detect It
Review SOA mname patterns, transfer ACLs, and public NS topology.
How to Fix It
Restrict transfers, secure update channels, and automate serial/signing operations.
Real-World Example
Hidden primary isolation protected zone management during a public DDoS event.
Related Checks in DNS Panopticon (map to product features)
Transfer exposure and authoritative-role mapping checks.
How DNS Panopticon Detects This
- Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
- Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
- Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
- Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.
Operator Checklist
- Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
- Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
- Document the root cause and the final fix in your runbook to shorten future incidents.