r2 - 2009-05-29 - 04:01:21 - DannyMayerYou are here: NTP >  Dev Web > DevelopmentIssues > ListenOn
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

The listen-on directive


The listen-on directive specifies which addresses or interfaces to use to accept queries instead of all interfaces and addresses. In the absence of this directive ntpd will listen on and accept all NTP packets on all IP addresses with the exception on the wildcard addresses where it will accept all packets but drop them when they arrive.

When there is more than one listen-on directive or -I command line option the last one added will be used if it applies and that command line options will be checked before configuration options.

The localhost IP addresses ( and ::1) will always be able to accept packets unless explicitly disabled by a listen-on directive. This is necessary if DNS lookup is delayed and allows local monitoring. If you choose to disable this you will not be able to check for DNS addresses if you are using names instead of addresses for NTP servers.

The query-on directive takes an address or interfaces and will optionally take a directive

Subsequent listen-on directives will append to the existing list. The last valid address/interface listed will be used.


The syntax of the configuration option is as follows:

listen-on address|interface|keyword [ accept|drop|ignore ] [prefixlen nn]

The descriptions of these options are as follows:

  • accept - this address or interface should accept and process packets received. This is the default.
  • drop - this address or interface should accept packets but drop the packet when received
  • ignore - this address or interface will not be used to receive packets

In addition to actual IP addresses and interface names the listen-on syntax accepts the following keywords:

  • all - all IP addresses available on the system
  • wild - the wildcard addresses ( and ::)
  • ipv4 - the IPv4 addresses available on the system
  • ipv6 - the IPv6 addresses available on the system
  • localhost - the localhost addresses ( and ::1)

prefixlen is used to indicate that the IP address is a network mask with a subnet length of nn.

-- DannyMayer - 29 May 2009


  listen-on accept
  listen-on ignore prefixlen 24
  listen-on eth1 drop
  listen-on ipv6 ignore

In this example ntpd will not bind to any IPv6 addresses, will bind to all IPv4 addresses on eth1 but drop all packets received on those addresses , not bind to address and accept packets IP address

If the system is not using any listen-on directives or the -I command-line option then the affect will be as follows:

 listen-on all accept
 listen-on wild drop

but this in not necessary to add to a configuration file.

To listen and accept packets on only one address you just need to do this:

 listen-on all ignore


The query-on directive will also explicitly and quietly add to the listen-on list but only if the listen-on list exists since a NTP packet going out on a specific IP address needs to be received and process on that very same process. It is only necessary to do this for queries using the standard NTP port. Requests going out on their own ports will not be part of the listen-on interface list.

The listen-on list should be constructed with the most general entries first and more specific ones further down.

-- DannyMayer - 26 Apr 2009

Prefixlen has been added as a configuration option.

-- DannyMayer - 29 May 2009

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r2 < r1 | More topic actions
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback