Recipe13.10.Configuring Zone Transfer


Recipe 13.10. Configuring Zone Transfer

Problem

You want to enable zone transfers to specific secondary name servers.

Solution

Using a graphical user interface

  1. Open the DNS snap-in (dnsmgmt.msc).

  2. In the left pane, expand the server node and expand either Forward Lookup Zone or Reverse Lookup Zone depending on the type of zone you want to manage.

  3. Right-click on the zone and select Properties.

  4. Select the Zone Transfers tab.

  5. Select either the option to restrict zone transfers to those servers listed on the Name Servers tab, or the option to restrict zone transfers to specific IP addresses, as desired. See the Discussion section for more on these two options.

Using a command-line interface

The following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in):

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureNs

The next command enables zone transfers for same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.11.33 and 172.16.11.34:

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureList 172.16.11.33 172.16.11.34

Using VBScript
' This code creates a name server (NS) record on a DNS server.     strDNSServer = "<servername>" strContainer = "<containername>" strOwner = "<ownername>" intRecordClass = 1 intTTL = 600  strNSHost = "<nameservername>" strComputer = "."     set objWMIService = GetObject _     ("winmgmts:\\" & strComputer & "\root\MicrosoftDNS") set objItem = objWMIService.Get("MicrosoftDNS_NSType") errResult = objItem.CreateInstanceFromPropertyData _     (strDNSServer, strContainer, strOwner, intRecordClass, intTTL, strNSHost) ' This code configures the allowed secondaries for zone transfer and notify     ' XFR constants const ZONE_SECSECURE_NO_SECURITY = 0 const ZONE_SECSECURE_NS_ONLY     = 1 const ZONE_SECSECURE_LIST_ONLY   = 2 const ZONE_SECSECURE_NO_XFR      = 3      ' NOTIFY constants const ZONE_NOTIFY_OFF            = 0 const ZONE_NOTIFY_ALL_SECONDARIES = 1 const ZONE_NOTIFY_LIST_ONLY       = 2     ' ------ SCRIPT CONFIGURATION ------ strZone   = "<ZoneName>"    ' e.g., rallencorp.com strServer = "<ServerName>"  ' e.g., dc1.rallencorp.com     ' use one of the above XFR constants intSecureSecondaries = ZONE_SECSECURE_LIST_ONLY  arrSecondaries = Array("1.1.1.2","1.1.1.3")     ' use one of the above NOTIFY constants intNotify = ZONE_NOTIFY_LIST_ONLY   arrNotify = Array("<IP1>","<IP2>") ' ------ END CONFIGURATION ---------     set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone.ContainerName=""" & _                           strZone & """,DnsServerName=""" & _                           objDNSServer.Name & """,Name=""" & strZone & """") strNull = objDNSZone.ResetSecondaries(arrSecondaries,intSecureSecondaries, _                                       arrNotify,intNotify) objDNSZone.Put_ WScript.Echo "Updated secondaries for zone transfer and notify"

Discussion

Your DNS implementation may require that you allow some zone transfers to occur, but you want to restrict which hosts can initiate zone transfers with your name servers. Since allowing anyone to initiate a zone transfer with your server could provide them with information for mapping out your network, it is critical that you limit which hosts can pull zone transfers from your servers.

If you are using only Active Directory-integrated zones, the Name Servers tab will be automatically populated with a list of all name servers authoritative for the selected zone, and this is the recommended choice when you have a large network with many name servers deployed. If any of your name servers are using standard zone files, however, you will need to populate this tab manually for any secondary name servers you deploy.

Specifying a list of IP addresses for hosts that can initiate zone transfers may be more secure since it is more specific, but this approach has the trade-off of adding the additional management overhead of keeping track of the name servers' IP addresses on your network, so you should only follow this approach if your network is small and you have relatively few name servers deployed. Another disadvantage of this approach is that if you forget to add some name servers' IP addresses to your list, zone information stored on these servers could become stale, causing name resolution to fail for some of your clients. This could result in some of your users experiencing difficulties in accessing network resources.

Note that on Windows 2000 name servers, the default setting allows zone transfers with any host that requests them. This setting is inherently insecure as it allows attackers to use nslookup to display all resource records on your servers, so be sure to use the steps outlined in this recipe to change the setting on your servers to one of the two settings described here. Windows Server 2003 DNS is more secure by default because in the case of file-based zones, it is configured to allow zone transfers only with servers listed on the Name Servers tab of a zone. In the case of Active Directory-integrated zones, it is configured to disallow zone transfers entirely since they generally aren't needed in an Active Directory environment.

See Also

Recipe 13.4



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net