Modify zone transfer settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To modify DNS zone transfer settings

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open DNS.

  2. Right-click a DNS zone, and then click Properties.

  3. On the Zone Transfers tab, do one of the following:

    • To disable zone transfers, clear the Allow zone transfers check box.

    • To allow zone transfers, select the Allow zone transfers check box.

  4. If you allowed zone transfers, do one of the following:

    • To allow zone transfers to any server, click To any server.

    • To allow zone transfers only to the DNS servers listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.

    • To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.

  • To improve the security of your DNS infrastructure, zone transfers should only be allowed for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.

Using a command line

  1. Open Command Prompt.

  2. Type:

    dnscmdServerName**/ZoneResetSecondariesZoneName {/NoXfr** | /NonSecure | /SecureNs | /SecureList [SecondaryIPAddress...]}

Value Description

dnscmd

Specifies the name of the command-line tool.

ServerName

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

ZoneName

Required. Specifies the fully qualified domain name (FQDN) of zone.

/NoXfr

Disables zone transfers for the zone.

/NonSecure

Permits zone transfers to any DNS server.

/SecureNs

Permits zone transfers only to DNS servers listed in the zone using name server (NS) resource records.

/SecureList

Permits zone transfers only to DNS servers specified by SecondaryIPAddress.

SecondaryIPAddress

Required, if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To view the complete syntax for this command, at a command prompt, type:

    dnscmd /ZoneResetSecondaries /?

  • To improve the security of your DNS infrastructure, zone transfers should only be allowed for either the DNS servers in the NS resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Create and manage a notify list for a zone
Security information for DNS
Checklist: Securing your DNS infrastructure
Command-line reference A-Z