Modify DNS zone transfer settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use the following procedure to change Domain Name System (DNS) zone transfer settings. To improve the security of your DNS infrastructure, zone transfers should be allowed only for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.

You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool.

Administrative credentials

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the RunĀ as command to perform this procedure.

Modifying DNS zone transfer settings

  • Using the Windows interface

  • Using the command line

To modify DNS zone transfer settings using the Windows interface

  1. Open the DNS snap-in.

  2. Right-click a DNS zone, and then click Properties.

  3. On the Zone Transfers tab, do one of the following:

    • To disable zone transfers, clear the Allow zone transfers check box.

    • To allow zone transfers, select the Allow zone transfers check box.

  4. If you allowed zone transfers, do one of the following:

    • To allow zone transfers to any server, click To any server.

    • To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.

    • To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the Internet Protocol (IP) address of one or more DNS servers.

Note

To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.

To modify DNS zone transfer settings using the command line

  • At a command prompt, type the following command, and then press ENTER:

    dnscmdServerName /ZoneResetSecondaries ZoneName {/NoXfr|/NonSecure|/SecureNs|/SecureList[SecondaryIPAddress...]}

    Value Description

    ServerName

    Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

    ZoneName

    Required. Specifies the fully qualified domain name (FQDN) of zone.

    /NoXfr

    Disables zone transfers for the zone.

    /NonSecure

    Permits zone transfers to any DNS server.

    /SecureNs

    Permits zone transfers only to DNS servers that are listed in the zone using NS resource records.

    /SecureList

    Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress.

    SecondaryIPAddress

    Required if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.