Securing DNS Zone Replication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Zone replication can occur either by means of zone transfer or as part of Active Directory replication. If you do not secure zone replication, you run the risk of exposing the names and IP addresses of your computers to attackers. You can secure DNS zone replication by doing the following:

  • Using Active Directory replication.

  • Encrypting zone replication sent over public networks such as the Internet.

  • Restricting zone transfer to authorized servers.

Using Active Directory Replication

Replicating zones as part of Active Directory replication provides the following security benefits:

  • Active Directory replication traffic is encrypted; therefore zone replication traffic is encrypted automatically.

  • The Active Directory domain controllers that perform replication are mutually authenticated, and impersonation is not possible.


  • Use Active Directory–integrated zones whenever possible, because they are replicated as part of Active Directory replication, which is more secure than file-based zone transfer.

Encrypting Replication Traffic Sent Over Public Networks

Encrypt all replication traffic sent over public networks by using IPSec or VPN tunnels. When encrypting replication traffic sent over public networks:

  • Use the strongest level of encryption or VPN tunnel authentication that your servers can support.

  • Use the Windows Server 2003 Routing and Remote Access service to create the IPSec or VPN tunnel.

Restricting Zone Transfer to Authorized Servers

If you have secondary servers and you replicate your zone data by using zone transfer, configure your DNS servers to specify the secondary servers that are authorized to receive zone transfers. This prevents an attacker from using zone transfer to download zone data. If you are using Active Directory–integrated zones instead, configure your servers to disallow zone transfer.