Recommendation - Configure all DNS zones only to allow zone transfers to the specified IP addresses

Why Consider this

If the zone transfer setting is configured to allow zone transfers to any server, you may send your Domain Name System (DNS) zone data to a rogue DNS server. This exposed DNS zone data could make your network more vulnerable to attack, because attackers will use this DNS zone data to help them map out your network in terms of the domain names, computer names, and IP addresses of your sensitive network resources.

Watch a Customer Engineer explaining the issue

Context & Best Practices

The process of replicating a zone file to multiple DNS servers is called zone transfer. Zone transfer is achieved by copying the zone file from one DNS server to a second DNS server. A main DNS server is the source of the zone information during a transfer. The main DNS server can be a primary or secondary DNS server. If the main DNS server is a primary DNS server, then the zone transfer comes directly from the DNS server hosting the primary zone. If the main server is a secondary DNS server, then the zone file received from the main DNS server by means of a zone transfer is a copy of the read-only secondary zone file.

Domain Name System (DNS) was originally designed as an open protocol and is therefore vulnerable to attackers. By default, the DNS Server service only allows zone information to be transferred to servers listed in the name server (NS) resource records of a zone. This is a secure configuration, but for increased security, this setting should be changed to the option to allow zone transfers to specified IP addresses. If this setting is changed to allow zone transfers to any server, it may expose your DNS data to an attacker attempting to footprint your network.

Footprinting is the process by which the DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources. An attacker commonly begins an attack by using this DNS data to diagram, or footprint, a network. DNS domain and computer names usually indicate the function or location of a domain or computer in order to help users remember and identify domains and computers more easily. An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network.

Review the following guidelines for zone transfer configuration from a security stand point:

• Low level Security: All DNS Zones permit zone transfers to any server.
• Medium Level Security: All DNS Zones limit zone transfers to servers listed in the name server (NS) resource records in their zones.
• High Level Security: All DNS Zones limit zone transfers to specified IP addresses.

Suggested Actions

To configure a DNS zone for secure zone transfer, change the zone transfer setting to the option to allow zone transfers to specific IP addresses by performing the following actions:

1. In the DNS Manager, right-click the name of the DNS zone and click Properties.
2. On the Zone Transfers tab, click Allow zone transfer.
3. Select Only to the following servers.
4. Click Edit, then in the IP addresses of the secondary servers list, enter the IP addresses of the servers you wish to specify.
5. When you have entered all the required IP addresses, click OK.

You can also use the �dnscmd� command line tool to achieve the same result.

1. Open an elevated command prompt.
2. At the command prompt, type the following command and press Enter:

dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> /SecureList [<SecondaryIPAddress...>]

For example:

dnscmd dnssvr1.contoso.com /zoneresetsecondaries test.contoso.com /securelist 11.0.0.2

Learn More

For more information on understanding how zone transfers work, see Understanding zones and zone transfer, at https://technet.microsoft.com/library/cc781340(WS.10).aspx.

For more information on how to configure zone transfers, see Modify Zone Transfer Settings, at https://technet.microsoft.com/library/cc771652.aspx.