If you don’t specifically configure a DNS server to only
accept zone transfer requests from designated sources, anyone on the Internet
with the proper tools can transfer a complete copy of your DNS zone database to
his or her system.

Malicious users typically accomplish this using the NSLOOKUP
utility and the ls -d command. In
addition, a hacker could possibly configure a DNS server to act as a secondary
name server for the zone and transfer the database in that fashion.

To lock down your network, it’s a best practice to configure
your DNS server to accept zone transfer requests only from selected IP

Follow these steps:

  1. Open
    the DNS Manager by going to Start | Programs | Administrative Tools | DNS
  2. Open
    the DNS server that hosts the zone.
  3. Right-click
    the zone, and select Properties.
  4. On the
    Notify tab, add the IP addresses for any systems that you want to allow to
    perform zone transfers in the Notify List.
  5. Select
    the Only Allow Access From Secondaries Included On The Notify List check
    box, and click OK.

The DNS server will now reject zone transfer requests from
any sources other than those listed. You can add IP addresses to this list even
if they’re not for Microsoft DNS servers without causing errors.