Compared to a modern BIND name server, the Microsoft DNS Server is short on security features, but you do have some options. In this section, we discuss how to prevent unauthorized zone transfers from your servers and how to “lock down” a name server directly connected to the Internet.
It’s important to ensure that only your real slave name servers can transfer zones from your primary master name server. Users on remote hosts that can query your name server’s zone data can look up data (for example, addresses) only for hosts whose domain names they already know, one at a time. Users who can start zone transfers from your server can list all the hosts in your zones. It’s the difference between letting random folks call your company’s switchboard and ask for John Q. Cubicle’s phone number and sending them a copy of your corporate phone directory.
You control which name servers can perform a zone transfer with settings on the Zone Transfers tab of the zone properties window (see Figure 10-3 earlier in this chapter). You can allow any host to perform zone transfers, or only those name servers listed in the zone’s NS records, or only a specific set of name servers you list by IP address.
For a primary master name server accessible from the Internet, you definitely want to limit zone transfers to just your slave name servers. You probably don’t need to restrict zone transfers on name servers inside your firewall, unless ...