Block DNS zone transfers in Windows 2000 Server

by Jim Boyce | Jun 05, 2006 7:00:00 AM

Tags: Domain names, Servers, NETWORKING, Microsoft Windows, Jim Boyce, server, DNS server, DNS, Microsoft Windows 2000, Microsoft Windows 2000 Server, Windows 2000 Server Tips Newsletter

Takeaway: If you're concerned about how much data is exchanged over your DNS servers—and who might be watching—read Jim Boyce's tip about blocking DNS zone transfers on Windows 2000 Servers.

The primary and secondary DNS servers exchange data between them by performing zone transfers, during which all data about the zone are transferred from the primary to the secondary server. While zone transfer allows you to have several DNS servers holding the same information, it can pose a certain threat to your network if not used wisely.

Because zone transfer transmits all information about a certain DNS zone, it could also help an intruder get to know your network better. Tools like Nslookup allow you to easily perform zone transfers with DNS servers.

If you don't want to allow zone transfers to everyone, specify a list of servers that you'll allow to perform zone transfers with your DNS server. To do so, follow these steps:

1. Open the DNS console on your DNS server and expand the server and zone for which you want to disable zone transfers. Right-click and select Properties.
2. On the Zone Transfers tab, you can either limit the zone transfers to the DNS servers on your network and let DNS manage them, or you can manually specify the IP address of the computers that will be allowed to perform zone transfers.
3. Click OK.

Miss a column?

Check out the Windows 2000 Server archive, and catch up on the most recent editions of Jim Boyce's column.

Want more Win2K tips and tricks? Automatically sign up for our free Windows 2000 Server newsletter, delivered each Tuesday!

Print/View all Posts Comments on this article

dfhd.,hdhdawoodkukshiwala@...  | 06/07/06

checkcokesrini@...  | 06/19/06