The default setting for Zone Security in the DNS server included with
Microsoft Windows NT Server is to allow zone transfer request from any
client. This allows easier configuration and setup of a new DNS server. The
default settings may allow unauthorized or undesired read access to the DNS
Zone information. A client may request a zone transfer with the Nslookup
utility, or by configuring a secondary zone on a DNS server. To restrict
access, you can configure the Microsoft DNS server to "Only allow access
from secondaries included on the notify list." This setting will limit
access to the DNS server's zone information to IP addresses specified in
the notify list. This parameter is on a per-zone basis; therefore, zones
must be individually configured.
To configure zone security, use the following procedure:
- Click Start, click Programs, click Administrative Tools (Common), and
then click DNS Manager.
- In DNS Manager, from the Server list, right-click the primary zone icon.
- Click Properties.
- Click the Notify tab.
- In the Notify List, add the IP addresses of the secondaries that are
allowed to access the primary.
- Click the "Only Allow Access From Secondaries Included on the Notify
List" check box.
For additional information about DNS zone transfers, please see the
following article in the Microsoft Knowledge Base:
Explanation of a DNS Zone Transfer
For more information on the notify feature, please see the following
article in the Microsoft Knowledge Base:
Explanation of DNS Notify List "Secondary Notification" Behavior