Recipe 13.10. Configuring Zone TransferProblemYou want to enable zone transfers to specific secondary name servers. SolutionUsing a graphical user interface
Using a command-line interfaceThe following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in): > dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureNs The next command enables zone transfers for same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.11.33 and 172.16.11.34: > dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureList 172.16.11.33 172.16.11.34 Using VBScript' This code creates a name server (NS) record on a DNS server. strDNSServer = "<servername>" strContainer = "<containername>" strOwner = "<ownername>" intRecordClass = 1 intTTL = 600 strNSHost = "<nameservername>" strComputer = "." set objWMIService = GetObject _ ("winmgmts:\\" & strComputer & "\root\MicrosoftDNS") set objItem = objWMIService.Get("MicrosoftDNS_NSType") errResult = objItem.CreateInstanceFromPropertyData _ (strDNSServer, strContainer, strOwner, intRecordClass, intTTL, strNSHost) ' This code configures the allowed secondaries for zone transfer and notify ' XFR constants const ZONE_SECSECURE_NO_SECURITY = 0 const ZONE_SECSECURE_NS_ONLY = 1 const ZONE_SECSECURE_LIST_ONLY = 2 const ZONE_SECSECURE_NO_XFR = 3 ' NOTIFY constants const ZONE_NOTIFY_OFF = 0 const ZONE_NOTIFY_ALL_SECONDARIES = 1 const ZONE_NOTIFY_LIST_ONLY = 2 ' ------ SCRIPT CONFIGURATION ------ strZone = "<ZoneName>" ' e.g., rallencorp.com strServer = "<ServerName>" ' e.g., dc1.rallencorp.com ' use one of the above XFR constants intSecureSecondaries = ZONE_SECSECURE_LIST_ONLY arrSecondaries = Array("1.1.1.2","1.1.1.3") ' use one of the above NOTIFY constants intNotify = ZONE_NOTIFY_LIST_ONLY arrNotify = Array("<IP1>","<IP2>") ' ------ END CONFIGURATION --------- set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone.ContainerName=""" & _ strZone & """,DnsServerName=""" & _ objDNSServer.Name & """,Name=""" & strZone & """") strNull = objDNSZone.ResetSecondaries(arrSecondaries,intSecureSecondaries, _ arrNotify,intNotify) objDNSZone.Put_ WScript.Echo "Updated secondaries for zone transfer and notify" DiscussionYour DNS implementation may require that you allow some zone transfers to occur, but you want to restrict which hosts can initiate zone transfers with your name servers. Since allowing anyone to initiate a zone transfer with your server could provide them with information for mapping out your network, it is critical that you limit which hosts can pull zone transfers from your servers. If you are using only Active Directory-integrated zones, the Name Servers tab will be automatically populated with a list of all name servers authoritative for the selected zone, and this is the recommended choice when you have a large network with many name servers deployed. If any of your name servers are using standard zone files, however, you will need to populate this tab manually for any secondary name servers you deploy. Specifying a list of IP addresses for hosts that can initiate zone transfers may be more secure since it is more specific, but this approach has the trade-off of adding the additional management overhead of keeping track of the name servers' IP addresses on your network, so you should only follow this approach if your network is small and you have relatively few name servers deployed. Another disadvantage of this approach is that if you forget to add some name servers' IP addresses to your list, zone information stored on these servers could become stale, causing name resolution to fail for some of your clients. This could result in some of your users experiencing difficulties in accessing network resources. Note that on Windows 2000 name servers, the default setting allows zone transfers with any host that requests them. This setting is inherently insecure as it allows attackers to use nslookup to display all resource records on your servers, so be sure to use the steps outlined in this recipe to change the setting on your servers to one of the two settings described here. Windows Server 2003 DNS is more secure by default because in the case of file-based zones, it is configured to allow zone transfers only with servers listed on the Name Servers tab of a zone. In the case of Active Directory-integrated zones, it is configured to disallow zone transfers entirely since they generally aren't needed in an Active Directory environment. See AlsoRecipe 13.4 |