Developer

Stop unauthorized DNS zone transfers in Windows NT

Allowing unauthorized DNS zone transfers in Windows NT can leave your network vulnerable to malicious attacks. To lock down your network, it's better to configure your DNS server to accept zone transfer requests only from selected IP addresses. Find out how in this Windows NT tip.

If you don't specifically configure a DNS server to only accept zone transfer requests from designated sources, anyone on the Internet with the proper tools can transfer a complete copy of your DNS zone database to his or her system.

Malicious users typically accomplish this using the NSLOOKUP utility and the ls -d command. In addition, a hacker could possibly configure a DNS server to act as a secondary name server for the zone and transfer the database in that fashion.

To lock down your network, it's a best practice to configure your DNS server to accept zone transfer requests only from selected IP addresses.

Follow these steps:

  1. Open the DNS Manager by going to Start | Programs | Administrative Tools | DNS Manager.
  2. Open the DNS server that hosts the zone.
  3. Right-click the zone, and select Properties.
  4. On the Notify tab, add the IP addresses for any systems that you want to allow to perform zone transfers in the Notify List.
  5. Select the Only Allow Access From Secondaries Included On The Notify List check box, and click OK.

The DNS server will now reject zone transfer requests from any sources other than those listed. You can add IP addresses to this list even if they're not for Microsoft DNS servers without causing errors.

Editor's Picks

Free Newsletters, In your Inbox