Zone transfers

[How can I be down]

What are DNS zone transfers??? and why does my security Dept. think I need
to shut them off????

--







SMOOVE
91 GSXR 750 and 96 Chevy C1500
www.myhooptie.com
www.bigdoggy.com

 

[Matjaz Ladava [MVP]]

Zone transfers is the process of transferring DNS zone from one DNS server
to another. If you have multiple DNS servers and you have configured them as
primary/secondary, then, when your domain information in zone on the primary
DNS server changes, it is transferred to your secondary DNS server. This is
called zone transfer. I don't know why your security department wants to
shut them off, as you provided no info on your network design and security
requirements.
If you are using DNS servers on W2k domain controllers, then you can make
your zones AD integrated. This way zone transfer would be part of active
directory replication which is more secure than normal zone transfer.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Jonathan de Boyne Pollard]

HcIbd> What are DNS zone transfers???

"zone transfer" is one of several replication mechanisms that
can be used to replicate DNS database content across a set of
peer content DNS servers. It is the one such replication
mechanism that is common to all DNS server softwares. However,
it is also the most severely limiting of those mechanisms
because its fixed schema doesn't match the actual database
schemata of most DNS server softwares.

<URL:http://www.microsoft.com/technet/pr...rver/sag_DNS_und_ZoneTransfers.asp?frame=true>

HcIbd> and why does my security Dept. think I need
HcIbd> to shut them off????

How can we know ? You need to be asking your "security
department" this question, not us. When it told you that it
wanted you to shut off "zone transfer" service, why didn't
you ask it "Why?" then and there ?

Ask your "security department" why. Its answer to this
question will be telling, and will reveal a lot about it.

If its answer is that it doesn't want people on the rest of
Internet to be able to obtain your DNS data by performing
"zone transfers", then your "security department" doesn't
understand the nature of publication. The data that your
DNS server serves up are _intended_ to be public. Preventing
"zone transfer" in order somehow to make those data "less
public" is just daft (especially in light of the existence of
"'NXT' walking"). If there's something that you don't want
published, it _should not be served up by your DNS server
at all_. It simply should not be in your ("external" view)
DNS database in the first place. Preventing "zone transfer"
does nothing to ameliorate the case where your DNS database
contains data that shouldn't be published.

If your "security department"'s answer, however, is that it
wants to prevent denials of service (since "zone transfer"
uses DNS/TCP and is subject to the same denials of service
that every other TCP/IP service is subject to), then it is on
firmer ground. That is a valid concern. However, what it
should be concentrating upon is preventing the use of DNS/TCP
entirely, and not fixating upon "zone transfer" (which is but
one of the uses of DNS/TCP), since it is DNS/TCP service that
is the actual avenue of attack, not "zone transfer" /per se/.

 

[How can I be down]

Zones are AD intergrated. Does that mean I can stop non AD transfers?

 

[Matjaz Ladava [MVP]]

Can you describe your DNS infrastructure a little more in detail and how it
is setup ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Herb Martin]

Zone transfers allowed means that other DNS servers (and hackers)
can transfer your zones on request.

This is true for even AD Integrated DNS -- if you have no secondaries
and don't wish to transfer manually (nslookup etc.) then disable.

ALWAYS try to disable this on PUBLIC DNS server -- or at least
list "specific IP addresses" which may transfer.

Disabling zone transfers has NO EFFECT on AD replication of DNS
integrated servers.

 

[How can I be down]

I have two DNS servers that all workstations, standalone severs and DC's
point back. Of course one is primary and the other secondary. they are setup
with a total of 11 AD zones. They are my only DNS servers. The current zones
are internal websites.

 

[Kevin D. Goodknecht]

In

I have two DNS servers that all workstations, standalone severs and
DC's point back. Of course one is primary and the other secondary.
they are setup with a total of 11 AD zones. They are my only DNS
servers. The current zones are internal websites.

If your zones on both DCs are AD integrated zone data is replicated through
Active Directory to all DCs in the same domain. So if both of your DCs are
in the same domain zone transfers can be and should be turned off.

 

[Matjaz Ladava [MVP]]

If they are primary and secondary, then they are not AD integrated. IF your
DNS servers are running on your DC's then make them AD integrated and you
should be ok.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Herb Martin]

If they are primary and secondary, then they are not AD integrated. IF
your

DNS servers are running on your DC's then make them AD integrated and you
should be ok.

I agree with YOU but if you look at Win2003 Server, Microsoft is changing
the terminology back to say "Primary with data stored in Active Directory."

This is irritating after we pretty much talked everyone into the Win2000
terminology and people were beginning to understand the distinction this
way.

 

[Michael Johnston [MSFT]]

If the zones are stored in the Active directory and there are no non-AD server hosting these zones, then zone transfers can be turned off. If there are any non-
ad servers that will be hosting these zones as secondaries, then zone transfers must be turned on. This can be setup such that zone transfers are only allowed
to specific machines. This may be enough to get the security guys off your back.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.