Thursday , 16 May 2019
Breaking News
Home » WWW » Restricting Zone Transfers

Restricting Zone Transfers

Another way to keep a primary or secondary DNS server secure is to restrict zone transfers to authorized sources only. By default, the “Allows zone transfer” checkbox is enabled for each zone created, which means that anyone who can issue queries against a server can also request a copy of the entire zone file. This is an especially bad security risk when a server is world-accessible. You should configure named to allow zone transfers only to authorized secondary DNS servers. Locking down zone transfers also prevents denial of service (DoS) by zone transfer to unexpected hosts.

There are two ways to tackle unauthorized transfers: Via the named configuration or by using the firewall. The method you choose depends on your needs and policies. Going the configuration file route will unfortunately require moving the zone into the /etc/named.conf file (as shown in “Configuring DNS Services”), and losing the ability to manage this zone via Server Admin. Once configured in /etc/named.conf, add the following line to the zone definition:

allow-transfer {;; };

The allow-transfer statement creates a whitelist of IP addresses that are allowed to transfer the entire zone to themselves. You should add addresses for all the secondary DNS servers that need to transfer the zone.

You can also restrict transfer using a firewall (host-based, like the ones built in to Mac OS X Server) or using router ACLs. For example, you can restrict inbound access from the secondary zone needing to transfer a zone to TCP port 53 on the DNS server, and deny all others. Since standard client queries use User Datagram Protocol (UDP), zone transfers can be limited in this way.

Providing Authoritative-Only Services

Another option for a DNS server is to provide authoritative-only services; this configuration is also known as a nonrecursive server. For various reasons, it may be desirable to have a name server that can answer queries about its primary or secondary zones and no others. Such a configuration restricts certain networks from recursion access to the server. This setup is easy when using Mac OS X Server: Simply set up zones as usual, and then remove all recursion from the DNS Settings pane in Server Admin, including localnets.

About Emma Gilbert

Working in the marketing industry since 2002. This blog is one of my hobbies.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.