Should i allow zone transfers

It is a client-initiated request. Initiating an AXFR zone-transfer request from a secondary server is as simple as using the following dig commands, where zonetransfer. First, we need to get the list of DNS servers for the domain:. This means that unless some kind of protection is introduced, an attacker can get a list of all hosts for a domain, which gives them a lot of potential attack vectors.

In order to prevent this vulnerability from occurring, the DNS server should be configured to only allow zone transfers from trusted IP addresses. Learn how DNS works. This is needed for redundancy. There are several zone transfer methods but the most common one uses the AXFR protocol.

Learn about the AXFR protocol. Anyone can get the whole zone using the AXFR protocol. Malicious hackers may use the information contained in zones to conduct attacks.

If the master server is a secondary DNS server, then the zone file received from the master DNS server by means of a zone transfer is a copy of the read-only secondary zone file. Domain Name System DNS was originally designed as an open protocol and is therefore vulnerable to attackers. By default, the DNS Server service only allows zone information to be transferred to servers listed in the name server NS resource records of a zone. This is a secure configuration, but for increased security, this setting should be changed to the option to allow zone transfers to specified IP addresses.

If this setting is changed to allow zone transfers to any server, it may expose your DNS data to an attacker attempting to footprint your network. Footprinting is the process by which the DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources. An attacker commonly begins an attack by using this DNS data to diagram, or footprint, a network. DNS domain and computer names usually indicate the function or location of a domain or computer in order to help users remember and identify domains and computers more easily.

An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network. Exam Tip For simulation questions, review the procedure of configuring zone transfers. Be sure to remember the differences among the three zone transfers options. Notification The Zone Transfers tab also allows you to configure notification to secondary servers. To perform this task, click Notify on the Zone Transfers tab when zone transfers are enabled.

This action opens the Notify dialog box, as shown in Figure , in which you can specify secondary servers that should be notified whenever a zone update occurs at the local master server. By default, when zone transfers are enabled, all servers listed on the Name Servers tab are automatically notified of zone changes.

Notification and Zone Transfer Initiation Zone transfers in standard zones can be triggered by any of three events:. In these first two cases, the secondary server initiates an SOA query to find out whether any updates in the zone have occurred.