4,659 questions
Windows Server DNS zone transfer issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
mricco44
1
Reputation point
We have a Windows 2019 Server that acts as a DC and DNS server.
On this DNS server we do not allow zone transfers on any of our Forward or Reverse Lookup Zones. We rely on general AD replication to other DC/DNS servers in our environment to keep DNS in sync.
In a recent internal pen test, testers used dig from a linux machine to request a zone transfer from this DNS server.
When they ran the dig axfr command against the servers IP address and called out a specific zone (ex. dig axfr @IPaddress example.com) , they received a "Transfer Failed" message, as expected.
When they ran the same dig axfr command against just the IP address of the server (ex. dig axfr @IPaddress) , it returned the full list of root hint NS and A records (a-l.root-servers.net).
This was marked as a finding in the pen test as they stated that "The affected system hosts a DNS server that allows zone transfer requests from IP addresses that do not correspond to other DNS servers. A generic zone transfer request sent to the affected hosts outputs a domain listing for root-servers.net systems".
The only zones that I see the ability to allow/deny zone transfers are the Forward and Reverse Lookup zones.
Any assistance would be greatly appreciated in disabling the ability to do a zone transfer for the root-server.net zone/entries.
Thanks!
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Sign in to answer