Ravindra Kulkarni
Problem
You want to enable zone transfers to specific secondary nameservers.
Solution
Using a graphical user interface
- Open the DNS snap-in.
- In the left pane, expand the server node and expand either Forward Lookup Zone or Reverse Lookup Zone depending on the type of zone you want to manage.
- Right-click on the zone and select Properties.
- Select the Zone Transfers tab.
- Select either the option to restrict zone transfers to those servers listed on the Name Servers tab or the option to restrict zone transfers to specific IP addresses. See the “Discussion” section for more on these two options.
Using a command-line interface
The following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in):
> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureNs
The next command enables zone transfers for same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.22.33 and 172.16.22.34:
> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureList 172.16.22.33
172.16.22.34
Using VBScript
‘ This code creates a nameserver (NS) record on a DNS server.
strDNSServer = “<servername>”
strContainer = “<containername>”
strOwner = “<ownername>”
intRecordClass = 1
intTTL = 600
strNSHost = “<nameservername>”
strComputer = “.”
set objWMIService = GetObject _
(“winmgmts:\\” & strComputer & “\root\MicrosoftDNS”)
set objItem = objWMIService.Get(“MicrosoftDNS_NSType”)
errResult = objItem.CreateInstanceFromPropertyData _
(strDNSServer, strContainer, strOwner, intRecordClass, intTTL, strNSHost)
‘ This code configures the allowed secondaries for zone transfer and notify
‘ XFR constants
const ZONE_SECSECURE_NO_SECURITY = 0
const ZONE_SECSECURE_NS_ONLY = 1
const ZONE_SECSECURE_LIST_ONLY = 2
const ZONE_SECSECURE_NO_XFR = 3
‘ NOTIFY constants
const ZONE_NOTIFY_OFF = 0
const ZONE_NOTIFY_ALL_SECONDARIES = 1
const ZONE_NOTIFY_LIST_ONLY = 2
‘ —— SCRIPT CONFIGURATION ——-
strZone = “<ZoneName>” ‘ e.g. rallencorp.com
strServer = “<ServerName>” ‘ e.g. dc1.rallencorp.com
‘ use one of the above XFR constants
intSecureSecondaries = ZONE_SECSECURE_LIST_ONLY
arrSecondaries = Array(“1.1.1.2″,”1.1.1.3”)
‘ use one of the above NOTIFY constants
intNotify = ZONE_NOTIFY_LIST_ONLY
arrNotify = Array(“<IP1>“,”<IP2>“)
‘ —— END CONFIGURATION ———
set objDNS = GetObject(“winMgmts:\\” & strServer & “\root\MicrosoftDNS”)
set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)
set objDNSZone = objDNS.Get(“MicrosoftDNS_Zone.ContainerName=””” & _
strZone & “””,DnsServerName=””” & _
objDNSServer.Name & “””,Name=””” & strZone & “”””)
strNull = objDNSZone.ResetSecondaries(arrSecondaries,intSecureSecondaries, _
arrNotify,intNotify)
objDNSZone.Put_
WScript.Echo “Updated secondaries for zone transfer and notify”
Discussion
Depending on your environment, your DNS implementation may require that you create secondary zones to allow for load balancing for busy DNS servers or remote sites connected by slow links. In this situation, you want to allow zone transfers to occur between your AD-integrated DNS servers and your secondary servers, but you want to restrict which hosts can initiate zone transfers with your AD-integrated nameservers. Allowing anyone to initiate a zone transfer with your domain controllers could provide an attacker with information for mapping out your network; it is therefore critical that you limit which hosts can pull zone transfers from your servers.
If you are using only Active Directoryintegrated zones, the Name Servers tab will be automatically populated with a list of all nameservers that are authoritative for the selected zone, and this is the recommended choice when you have a large network with many nameservers deployed. If any of your nameservers are using standard zone files, however, you will need to populate this tab manually for any secondary nameservers you deploy.
Specifying a list of IP addresses for hosts that can initiate zone transfers may be more secure since it is more specific, but this approach has the trade-off of adding the additional management overhead of keeping track of the IP addresses of all nameservers on your network, so you should follow this approach only if your network is small and you have relatively few nameservers deployed. Another disadvantage of this approach is that if you forget to add some IP addresses of nameservers to your list, zone information stored on those servers could become stale, causing name resolution to fail for some of your clients. This could result in some of your users experiencing difficulties in accessing network resources.
Note that on Windows 2000 nameservers, the default setting is to allow zone transfers with any host that requests them. This setting is inherently insecure as it allows attackers to use nslookup to display all resource records on your servers, so be sure to use the steps outlined in this recipe to change the setting on your servers to one of the two settings described here. Windows Server 2003 DNS is more secure by default because in the case of file-based zones, it is configured to allow zone transfers only with servers listed on the Name Servers tab of a zone. In the case of Active Directoryintegrated zones, it is configured to disallow zone transfers entirely since they generally aren’t needed in an Active Directory environment.
IgNiTeD SoUL 