Tech Tips / Windows NT / Security

Stopping unauthorized DNS zone transfers

If you do not specifically configure your DNS server to accept zone transfer requests only from designated sources, anyone on the Internet with the proper tools can transfer a complete copy of your DNS zone database to their system. This is normally done using the NSLOOKUP program and the ls -d command. It's also possible for a cracker to configure a DNS server as a Secondary Name Server for the zone and transfer the database in that fashion.

Therefore, it's best to configure the MS DNS server to accept zone transfer requests only from selected IP addresses. To do so, follow these steps:

  1. Go into the Microsoft DNS Manager (Start | Programs | Administrative Tools | DNS Manager).
  2. Open the DNS server on which the zone is hosted.
  3. Right-click on the zone and select Properties | Notify.
  4. Add the IP addresses for any systems that will be allowed to do zone transfers.
  5. Enable the Only Allow Access From Secondaries Included On Notify List check box.
  6. Click OK.

This will cause the DNS server to reject zone transfer requests from any sources other than those listed in the Notify list. You can add IP addresses to this list even if they're not for MS DNS servers without causing errors on the DNS server.

Contact Us | Authors | Subject Index | Directory | RSS Feeds

Copyright ©2006