Protecting a Slave Name Server from Abuse

3.10.1 Problem

You want to protect a slave name server from abuse by the maintainers of the zone.

3.10.2 Solution

Use the BIND 9 min-refresh-time, min-retry-time, max-transfer-time-in, max-transfer-idle-in, and additional-from-auth substatements.

min-refresh-time and min-retry-time are useful in guarding against the zone's administrator's either accidentally or deliberately setting his zone's refresh or retry times too low. For example:

zone "bar.example" {
 type slave;
 masters {; };
 file "";
 min-refresh-time 3600; // 1 hour minimum refresh

max-transfer-time-in and max-transfer-idle-in allow you to specify how long the name server will wait for a transfer of the zone to complete, and how long it will wait while the transfer is idle (i.e., isn't making progress). For example:

 directory "/var/named";
 max-transfer-time-in 1800; // max transfer time 30 minutes
 max-transfer-idle-in 900; // max transfer idle 15 minutes

Finally, in order to keep the name server from adding records to the additional data section of responses that come from slave zones, use the additional-from-auth options substatement

options {
 directory "/var/named";
 additional-from-auth no;

3.10.3 Discussion

You can use min-refresh-time and min-retry-time as options or zone substatements. As a zone substatement, the limit applies only to that zone. As an options substatement, the limit applies to all zones that don't have an explicit limit.

3.10.4 See Also

Section 1.17 for instructions on configuring a name server as a slave for a zone and "Zone Transfers" in Chapter 10 of DNS and BIND.

Getting Started

Zone Data

BIND Name Server Configuration

Electronic Mail

BIND Name Server Operations

Delegation and Registration


Interoperability and Upgrading

Resolvers and Programming

Logging and Troubleshooting


DNS & BIND Cookbook
DNS & BIND Cookbook
ISBN: 0596004109
EAN: 2147483647
Year: 2005
Pages: 220
Authors: Cricket Liu © 2008-2020.
If you may any questions please contact us: