You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer.
Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Modifying zone transfer settings
|
To modify zone transfer settings using the Windows interface |
-
Open DNS Manager.
-
Right-click a DNS zone, and then click Properties.
-
On the Zone Transfers tab, do one of the following:
- To disable zone transfers, clear the Allow
zone transfers check box.
- To allow zone transfers, select the Allow
zone transfers check box.
- To disable zone transfers, clear the Allow
zone transfers check box.
-
If you allowed zone transfers, do one of the following:
- To allow zone transfers to any server, click
To any server.
- To allow zone transfers only to the DNS
servers that are listed on the Name Servers tab, click
Only to servers listed on the Name Servers tab.
- To allow zone transfers only to specific DNS
servers, click Only to the following servers, and then add
the IP address of one or more DNS servers.
- To allow zone transfers to any server, click
To any server.
Additional considerations
- To open DNS Manager, click Start,
point to Administrative Tools, and then click
DNS.
- To improve the security of your DNS
infrastructure, allow zone transfers only for either the DNS
servers in the name server (NS) resource records for a zone or for
specified DNS servers. If you allow any DNS server to perform a
zone transfer, you are allowing internal network information to be
transferred to any host that can contact your DNS server.
|
|
To modify zone transfer settings using a command line |
-
Open a command prompt.
-
Type the following command, and then press ENTER:
dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList [<SecondaryIPAddress...>]}
| Parameter | Description |
|---|---|
|
dnscmd |
The command-line tool for managing DNS servers. |
|
<ServerName> |
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). |
|
<ZoneName> |
Required. Specifies the fully qualified domain name (FQDN) of the zone. |
|
/NoXfr |
Disables zone transfers for the zone. |
|
/NonSecure |
Permits zone transfers to any DNS server. |
|
/SecureNs |
Permits zone transfers only to DNS servers that are listed in the zone using name server (NS) resource records. |
|
/SecureList |
Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress. |
|
<SecondaryIPAddress> |
Required, if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers. |
To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:
dnscmd /ZoneResetSecondaries /?
Additional considerations
- To open an elevated Command Prompt window,
click Start, point to All Programs, click
Accessories, right-click Command Prompt, and then
click Run as administrator.
- To improve the security of your DNS
infrastructure, allow zone transfers only for either the DNS
servers in the name server NS resource records for a zone or for
specified DNS servers. If you allow any DNS server to perform a
zone transfer, you are allowing internal network information to be
transferred to any host that can contact your DNS server.