Stop Unauthorized DNS Zone Transfers from Microsoft's DNS Server

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Hacker's gain tremendous insight during the discovery phase if they can perform an unauthorized zone transfer from your DNS server. It reveals the network and host names. A zone transfer eats up the processing power of the DNS server. If you are using the Microsoft DNS server under NT, you can configure the server to only respond to requests for zone transfers from authorized ip addresses.

  • Click Start | Programs | Administrative Tools | DNS Manager
  • Open the DNS server on which the zone is hosted.
  • Right-click on the zone and select Properties | Notify
  • Add the IP addresses for any systems that will be allowed to do zone transfers
  • Enable the Only Allow Access From Secondaries Included On Notify List check box.
  • Click OK.
The DNS server will now reject zone transfer requests from any sources other than those listed in the Notify list. You can add IP addresses to this list even if they're not for MS DNS servers without causing errors on the DNS server.

See Also

Featured Links