YADIFA is an authoritative-only DNS server. Security should focus on zone transfer protection, DNSSEC hygiene, network exposure minimization, and host-level hardening.
Note: YADIFA does not support recursion or caching. Do not deploy it as a recursive resolver. If you need recursion, pair YADIFA with a dedicated resolver such as Unbound.
- Restrict listener interfaces to only required networks.
- Expose only port 53 (UDP/TCP) to authorized clients.
- Use firewall rules to limit which IPs can query authoritative zones.
- Disable zone transfers to unauthorized peers.
¶ Transfer and Update Controls
- Protect AXFR/IXFR transfers with TSIG authentication.
- Restrict update and transfer peers explicitly in zone definitions.
- Review and remove stale secondary zone definitions.
- Use ACLs to limit which hosts can request zone transfers.
¶ DNSSEC and Key Security
- Sign zones using a controlled key lifecycle (KSK/ZSK separation).
- Protect key files with strict file permissions (owner-only read).
- Monitor signature validity and rollover windows.
- Store offline KSK backups in secure, access-controlled storage.
¶ Host and Operational Controls
- Run YADIFA as a dedicated, unprivileged system user.
- Keep YADIFA and OS packages current with security patches.
- Centralize logs and alert on transfer/auth anomalies.
- Apply systemd hardening (PrivateTmp, ProtectSystem, NoNewPrivileges, etc.).
- Use AppArmor or SELinux profiles where available.
- Rate-limit responses to mitigate amplification attacks.
- Deploy behind a firewall with DNS-specific rules.
- Consider using a hidden primary with public secondaries.
- No recursion - YADIFA cannot act as a recursive resolver.
- No caching - Every query triggers authoritative zone lookup.
- No DoH/DoQ - DNS-over-HTTPS and DNS-over-QUIC are not supported.
- No split-horizon - Views are not available for split DNS deployments.