Zone transfers

  • Thread starter Thread starter How can I be down
  • Start date Start date
Zone transfers is the process of transferring DNS zone from one DNS server
to another. If you have multiple DNS servers and you have configured them as
primary/secondary, then, when your domain information in zone on the primary
DNS server changes, it is transferred to your secondary DNS server. This is
called zone transfer. I don't know why your security department wants to
shut them off, as you provided no info on your network design and security
requirements.
If you are using DNS servers on W2k domain controllers, then you can make
your zones AD integrated. This way zone transfer would be part of active
directory replication which is more secure than normal zone transfer.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
HcIbd> What are DNS zone transfers???

"zone transfer" is one of several replication mechanisms that
can be used to replicate DNS database content across a set of
peer content DNS servers. It is the one such replication
mechanism that is common to all DNS server softwares. However,
it is also the most severely limiting of those mechanisms
because its fixed schema doesn't match the actual database
schemata of most DNS server softwares.

<URL:http://www.microsoft.com/technet/pr...rver/sag_DNS_und_ZoneTransfers.asp?frame=true>

HcIbd> and why does my security Dept. think I need
HcIbd> to shut them off????

How can we know ? You need to be asking your "security
department" this question, not us. When it told you that it
wanted you to shut off "zone transfer" service, why didn't
you ask it "Why?" then and there ?

Ask your "security department" why. Its answer to this
question will be telling, and will reveal a lot about it.

If its answer is that it doesn't want people on the rest of
Internet to be able to obtain your DNS data by performing
"zone transfers", then your "security department" doesn't
understand the nature of publication. The data that your
DNS server serves up are _intended_ to be public. Preventing
"zone transfer" in order somehow to make those data "less
public" is just daft (especially in light of the existence of
"'NXT' walking"). If there's something that you don't want
published, it _should not be served up by your DNS server
at all_. It simply should not be in your ("external" view)
DNS database in the first place. Preventing "zone transfer"
does nothing to ameliorate the case where your DNS database
contains data that shouldn't be published.

If your "security department"'s answer, however, is that it
wants to prevent denials of service (since "zone transfer"
uses DNS/TCP and is subject to the same denials of service
that every other TCP/IP service is subject to), then it is on
firmer ground. That is a valid concern. However, what it
should be concentrating upon is preventing the use of DNS/TCP
entirely, and not fixating upon "zone transfer" (which is but
one of the uses of DNS/TCP), since it is DNS/TCP service that
is the actual avenue of attack, not "zone transfer" /per se/.
 
Can you describe your DNS infrastructure a little more in detail and how it
is setup ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
Zone transfers allowed means that other DNS servers (and hackers)
can transfer your zones on request.

This is true for even AD Integrated DNS -- if you have no secondaries
and don't wish to transfer manually (nslookup etc.) then disable.

ALWAYS try to disable this on PUBLIC DNS server -- or at least
list "specific IP addresses" which may transfer.

Disabling zone transfers has NO EFFECT on AD replication of DNS
integrated servers.
 
I have two DNS servers that all workstations, standalone severs and DC's
point back. Of course one is primary and the other secondary. they are setup
with a total of 11 AD zones. They are my only DNS servers. The current zones
are internal websites.
 
In
How can I be down said:
I have two DNS servers that all workstations, standalone severs and
DC's point back. Of course one is primary and the other secondary.
they are setup with a total of 11 AD zones. They are my only DNS
servers. The current zones are internal websites.
Click to expand...

If your zones on both DCs are AD integrated zone data is replicated through
Active Directory to all DCs in the same domain. So if both of your DCs are
in the same domain zone transfers can be and should be turned off.
 
If they are primary and secondary, then they are not AD integrated. IF your
DNS servers are running on your DC's then make them AD integrated and you
should be ok.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
If they are primary and secondary, then they are not AD integrated. IF
your
DNS servers are running on your DC's then make them AD integrated and you
should be ok.
Click to expand...

I agree with YOU but if you look at Win2003 Server, Microsoft is changing
the terminology back to say "Primary with data stored in Active Directory."

This is irritating after we pretty much talked everyone into the Win2000
terminology and people were beginning to understand the distinction this
way.
 
If the zones are stored in the Active directory and there are no non-AD server hosting these zones, then zone transfers can be turned off. If there are any non-
ad servers that will be hosting these zones as secondaries, then zone transfers must be turned on. This can be setup such that zone transfers are only allowed
to specific machines. This may be enough to get the security guys off your back.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
Back
Top