Hacker's gain tremendous insight during the discovery phase if they can perform
an unauthorized zone transfer from your DNS server. It reveals the network and
host names. A zone transfer eats up the processing power of the DNS server. If
you are using the Microsoft DNS server under NT, you can configure the server to
only respond to requests for zone transfers from authorized ip addresses.
- Click Start | Programs | Administrative Tools | DNS
- Open the DNS server on which the zone is hosted.
- Right-click on the zone and select Properties | Notify
- Add the IP addresses for any systems that will be allowed to do zone
- Enable the Only Allow Access From Secondaries Included On
Notify List check box.
- Click OK.
The DNS server will now reject zone transfer requests
from any sources other than those listed in the Notify list. You can add IP
addresses to this list even if they're not for MS DNS servers without causing
errors on the DNS server.