You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Modifying zone transfer settings

To modify zone transfer settings using the Windows interface
  1. Open DNS Manager.

  2. Right-click a DNS zone, and then click Properties.

  3. On the Zone Transfers tab, do one of the following:

    • To disable zone transfers, clear the Allow zone transfers check box.

    • To allow zone transfers, select the Allow zone transfers check box.

  4. If you allowed zone transfers, do one of the following:

    • To allow zone transfers to any server, click To any server.

    • To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.

    • To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.

Additional considerations

  • To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  • To improve the security of your DNS infrastructure, allow zone transfers only for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.

To modify zone transfer settings using a command line
  1. Open a command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList [<SecondaryIPAddress...>]}
    

Parameter Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

<ZoneName>

Required. Specifies the fully qualified domain name (FQDN) of the zone.

/NoXfr

Disables zone transfers for the zone.

/NonSecure

Permits zone transfers to any DNS server.

/SecureNs

Permits zone transfers only to DNS servers that are listed in the zone using name server (NS) resource records.

/SecureList

Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress.

<SecondaryIPAddress>

Required, if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:

dnscmd /ZoneResetSecondaries /? 

Additional considerations

  • To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  • To improve the security of your DNS infrastructure, allow zone transfers only for either the DNS servers in the name server NS resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.

Additional references