Share via


Restrict zone transfers

Applies To: Windows Server 2008

You can use the following procedure to control whether a Domain Name System (DNS) zone will be transferred to other servers and which servers can receive the zone transfer. You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Restricting zone transfers

  • Using the Windows interface

  • Using a command line

To restrict zone transfers using the Windows interface

  1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  2. Right-click a DNS zone, and then click Properties.

  3. On the Zone Transfers tab, do one of the following:

    • To disable zone transfers, clear the Allow zone transfers check box.

    • To allow zone transfers, select the Allow zone transfers check box.

  4. If you allowed zone transfers, do one of the following:

    • To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.

    • To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.

Additional considerations

  • To improve the security of your DNS infrastructure, allow zone transfers only for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.

To restrict zone transfers using a command line

  1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /SecureNs | /SecureList [<SecondaryIPAddress...>]}
    
Parameter Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/ZoneResetSecondaries

Specifies a list of IP addresses to which a master server responds when asked for a zone transfer.

<ZoneName>

Required. Specifies the fully qualified domain name (FQDN) of the zone.

/NoXfr

Disables zone transfers for the zone.

/SecureNs

Permits zone transfers only to DNS servers that are listed in the zone in name server (NS) resource records.

/SecureList

Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress.

<SecondaryIPAddress>

Required, if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:

dnscmd /ZoneResetSecondaries /? 

Additional references