This mantra -- Security through obscurity -- has been chanted in IT security circles for ages. Basically, it means that one of the first steps in achieving a secure network is to provide as little information as possible to people outside the network. The less information you provide to outsiders, the less they have to work with when attempting to gain unauthorised access to the network. One way to protect this information is by restricting DNS zone transfers. I'll start with a look at the security implications of DNS zone transfers. Then, I'll show you how to block them on some common platforms and allow them only to the hosts you specify. Be careful where you tread
In and of themselves, zone transfers are not bad things. In fact, many organisations make use of zone transfers to keep DNS servers up to date. Without the mechanism in place, keeping redundant DNS servers running would be much more difficult. However, hackers can use zone transfers to gain valuable information. How valuable? They can get a list of all your DNS records, which can expose lots of juicy details about your servers. Windows 2000
Because of Win2K's inherent requirement for DNS services to be loaded to use it as a domain controller, many organisations are using it for all of their DNS needs. For this example, I have set up a Windows 2000 DNS server named lab2k, which is both a domain controller and the DNS server for the lab2kd.com domain. By default, Windows 2000 DNS zones will happily transfer any zone information they have to any server that asks for it, as shown in Figure A.

Figure A

This zone can be transferred anywhere upon request.

Locking it down
To open the properties for a particular zone, start the DNS administration utility from Start | Programs | Administrative Tools | DNS, and expand the option for your local server as well as the local lookup zones. Right-click on the zone whose zone transfers you want to restrict, choose Properties, and click on the Zone Transfers tab. Several options are available to secure your zone information (as shown in Figure A). First, you can simply disallow all zone transfers. Although this may work well for an Active Directory integrated domain where the information is stored in the directory and therefore accessible to other domain DNS servers, it won't work in situations where a zone transfer is the only way to keep those other servers current. If you need to allow zone transfers, you can limit them to other DNS servers in your domain by selecting Only To Servers Listed On The Name Servers Tab. Finally, for more granular control, you can specify the IP addresses by selecting Only To The Following Servers and then listing the IP addresses of those servers. Making these changes will prevent unauthorised access to your Windows 2000 zone information and will make it more difficult for potential intruders to gain access to your network.