Configuring Zone Transfers

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:


Problem

You want to enable zone transfers to specific secondary nameservers.

Solution

Using a graphical user interface

  1. Open the DNS snap-in.
  2. In the left pane, expand the server node and expand either Forward Lookup Zone or Reverse Lookup Zone depending on the type of zone you want to manage.
  3. Right-click on the zone and select Properties.
  4. Select the Zone Transfers tab.
  5. Select either the option to restrict zone transfers to those servers listed on the Name Servers tab or the option to restrict zone transfers to specific IP addresses. See the “Discussion” section for more on these two options.

Using a command-line interface

The following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in):

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureNs

The next command enables zone transfers for same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.22.33 and 172.16.22.34:

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureList 172.16.22.33

172.16.22.34

Using VBScript

‘ This code creates a nameserver (NS) record on a DNS server.

strDNSServer = “<servername>

strContainer = “<containername>

strOwner = “<ownername>

intRecordClass = 1

intTTL = 600

strNSHost = “<nameservername>

strComputer = “.”

set objWMIService = GetObject _

(“winmgmts:\\” & strComputer & “\root\MicrosoftDNS”)

set objItem = objWMIService.Get(“MicrosoftDNS_NSType”)

errResult = objItem.CreateInstanceFromPropertyData _

(strDNSServer, strContainer, strOwner, intRecordClass, intTTL, strNSHost)

‘ This code configures the allowed secondaries for zone transfer and notify

‘ XFR constants

const ZONE_SECSECURE_NO_SECURITY = 0

const ZONE_SECSECURE_NS_ONLY = 1

const ZONE_SECSECURE_LIST_ONLY = 2

const ZONE_SECSECURE_NO_XFR = 3

‘ NOTIFY constants

const ZONE_NOTIFY_OFF = 0

const ZONE_NOTIFY_ALL_SECONDARIES = 1

const ZONE_NOTIFY_LIST_ONLY = 2

‘ —— SCRIPT CONFIGURATION ——-

strZone = “<ZoneName>” ‘ e.g. rallencorp.com

strServer = “<ServerName>” ‘ e.g. dc1.rallencorp.com

‘ use one of the above XFR constants

intSecureSecondaries = ZONE_SECSECURE_LIST_ONLY

arrSecondaries = Array(“1.1.1.2″,”1.1.1.3”)

‘ use one of the above NOTIFY constants

intNotify = ZONE_NOTIFY_LIST_ONLY

arrNotify = Array(“<IP1>“,”<IP2>“)

‘ —— END CONFIGURATION ———

set objDNS = GetObject(“winMgmts:\\” & strServer & “\root\MicrosoftDNS”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

set objDNSZone = objDNS.Get(“MicrosoftDNS_Zone.ContainerName=””” & _

strZone & “””,DnsServerName=””” & _

objDNSServer.Name & “””,Name=””” & strZone & “”””)

strNull = objDNSZone.ResetSecondaries(arrSecondaries,intSecureSecondaries, _

arrNotify,intNotify)

objDNSZone.Put_

WScript.Echo “Updated secondaries for zone transfer and notify”

Discussion

Depending on your environment, your DNS implementation may require that you create secondary zones to allow for load balancing for busy DNS servers or remote sites connected by slow links. In this situation, you want to allow zone transfers to occur between your AD-integrated DNS servers and your secondary servers, but you want to restrict which hosts can initiate zone transfers with your AD-integrated nameservers. Allowing anyone to initiate a zone transfer with your domain controllers could provide an attacker with information for mapping out your network; it is therefore critical that you limit which hosts can pull zone transfers from your servers.

If you are using only Active Directoryintegrated zones, the Name Servers tab will be automatically populated with a list of all nameservers that are authoritative for the selected zone, and this is the recommended choice when you have a large network with many nameservers deployed. If any of your nameservers are using standard zone files, however, you will need to populate this tab manually for any secondary nameservers you deploy.

Specifying a list of IP addresses for hosts that can initiate zone transfers may be more secure since it is more specific, but this approach has the trade-off of adding the additional management overhead of keeping track of the IP addresses of all nameservers on your network, so you should follow this approach only if your network is small and you have relatively few nameservers deployed. Another disadvantage of this approach is that if you forget to add some IP addresses of nameservers to your list, zone information stored on those servers could become stale, causing name resolution to fail for some of your clients. This could result in some of your users experiencing difficulties in accessing network resources.

Note that on Windows 2000 nameservers, the default setting is to allow zone transfers with any host that requests them. This setting is inherently insecure as it allows attackers to use nslookup to display all resource records on your servers, so be sure to use the steps outlined in this recipe to change the setting on your servers to one of the two settings described here. Windows Server 2003 DNS is more secure by default because in the case of file-based zones, it is configured to allow zone transfers only with servers listed on the Name Servers tab of a zone. In the case of Active Directoryintegrated zones, it is configured to disallow zone transfers entirely since they generally aren’t needed in an Active Directory environment.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s