Configuring an Authoritative-Only Name Server

7.6.1 Problem

You want to configure an "authoritative-only" or nonrecursive name server.

7.6.2 Solution

Disable recursion with the recursion options substatement:

options { directory "/var/named"; recursion no; };

If the name server isn't already configured as authoritative for one or more zones, add zone statements to named.conf, too.

7.6.3 Discussion

Since "authoritative-only" isn't a standard term (nor is "nonrecursive," really), a few words of explanation are in order. A nonrecursive or authoritative-only name server is one that only answers nonrecursive queries from remote name servers. It can't directly serve resolvers, since all resolvers send recursive queries by default, but you can delegate zones to it, and it's nearly invulnerable to spoofing attacks, since it normally doesn't send queries. It's also more resistant to denial of service attacks, since it doesn't process resource-intensive recursive queries.

For completeness, you may also want to disable glue fetching on BIND 8 name servers:

options { directory "/var/named"; recursion no; fetch-glue no; };

This step prevents the name server from sending queries to look up A records for name servers that appear in NS records. That, together with disabling recursion, makes the name server completely passive. It may prevent NOTIFY from working correctly, though, since the name server won't look up the addresses of name servers outside of the zones it's authoritative for. In that case, use Section 3.14 to configure the name server to send NOTIFY messages to the slaves explicitly.

Remember to limit concurrent zone transfers (Section 5.17) and accept only authorized zone transfer requests (Section 7.11) if the name server acts as a master.

7.6.4 See Also

Section 3.14, for explicit NOTIFY configuration; Section 5.17, to limit concurrent zone transfers; and Section 7.11, for adding zone transfer restrictions.

Категории