Setting Zone Transfer Restrictions

[Brad Baker]

A security scan of one of our windows DNS servers revealted the following
potential problem:

The remote name server allows DNS zone transfers to be performed. This
information is of great use to an attacker who may use it to gain
information about the topology of your network and spot new targets.
Solution: Restrict DNS zone transfers to only the servers that absolutely
need it. Risk Factor: Medium CVE: CAN-1999-0532

I've found information online on how to restrict zone transfers on a zone by
zone basis. My problem is that I have a DNS server with approximately 300+
zones. I don't want to go into each zone manually and setup zone transfer
restrictions - that would take hours.

I also found that there is a command line utility (dnscmd) which can be
used, and while that would be slightly more practical than using the GUI its
still pretty tedious to use to reset zone transfer information on 300+
zones.

There has to be a way to set zone transfer settings on a server wide basis?
What am I missing?

Thanks,
Brad

 

[Kevin D. Goodknecht Sr. [MVP]]

A security scan of one of our windows DNS servers revealted the
following potential problem:

The remote name server allows DNS zone transfers to be performed. This
information is of great use to an attacker who may use it to gain
information about the topology of your network and spot new targets.
Solution: Restrict DNS zone transfers to only the servers that
absolutely need it. Risk Factor: Medium CVE: CAN-1999-0532

I've found information online on how to restrict zone transfers on a
zone by zone basis. My problem is that I have a DNS server with
approximately 300+ zones. I don't want to go into each zone manually
and setup zone transfer restrictions - that would take hours.

I also found that there is a command line utility (dnscmd) which can
be used, and while that would be slightly more practical than using
the GUI its still pretty tedious to use to reset zone transfer
information on 300+ zones.

There has to be a way to set zone transfer settings on a server wide
basis? What am I missing?

dnscmd <server> /ZoneResetSecondaries ..AllZones /SecureList
<SecondaryIPAddress>

If you have any stub zones you will get:
Command failed: DNS_ERROR_INVALID_ZONE_TYPE 9611 (0000258b)

You can ignore this, it still sets the IP of the secondaries to allow zone
transfers to on the primary zones.

 

[Brad Baker]

Thank you *so* much. That was exactly what I needed!

 

[Brad Baker]

Actually I was too quick. It looks like the command below does fix the
problem for all existing zones, but when I create new zones the zone
transfer information is not populated at all. If I'm using active directory
integrated DNS, is that an issue?

Thanks Again,
Brad

 

[Kevin D. Goodknecht Sr. [MVP]]

Actually I was too quick. It looks like the command below does fix the
problem for all existing zones, but when I create new zones the zone
transfer information is not populated at all. If I'm using active
directory integrated DNS, is that an issue?

You'll have to set the zone transfer information when you create a new zone,
AFAIK there is no way to make zone transfer settings default, other than the
default disabled. I will check on that just in case I missed it somewhere.

If you are using Active Directory integrated zones with no secondaries, zone
transfers are not needed, zones replicate through Active Directory
replication.