O Secure Zone Transfers

The difference between master and slave servers from an administrative point of view is that physical files with your domain zone information are only stored on the master. The slave servers automatically pull and cache master server databases at predefined intervals or upon a NOTIFY message issued by the master informing its slaves that something changed.

Unlike normal DNS requests, which are usually channeled via UDP, zone transfers are always transmitted over TCP.

The piece of information that is used for checking the consistency of zone files between master and slaves is the serial number. Here we are checking google.com's zone serial number (it's 1291839):

; <<>\> DiG 9.3.0 <<>\> -t soa www.google.com ;; global options: printcmd ;; Got answer:

;; ->\>HEADER<<- opcode: QUERY, status: NOERROR, id: 56721

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0


;www.google.com. IN SOA


www.google.com. 140 633 IN CNAME www.l.google.com.


l.google.com. 60 IN SOA g.l.google.com. dns-admin.google.com.

291839 900 900 1800 60

The serial number has no standard naming scheme. The only important rule to follow is that it must be changed incrementally when performing updates (a common and easy-to-remember scheme is to use the date for tracking updates, in the format YYYYMMDDVV where VV is a two-digit version number in case you change the map more than once in a day).

When performing any modification on your master zone file, always update the serial number. Keeping inconsistent data across your primary and secondary DNS servers is a dangerous condition from both an administrative and security point of view.

You should also always configure an access list for restricting zone transfers only to your legitimate slave servers. Allowing arbitrary zone transfers to anonymous clients exposes your whole zone file, which greatly helps the attacker's server enumerate the servers in your network.

BIND allows you to define access lists for a cleaner configuration. The following example creates an xfer access list and restrict zone transfers to it with the allow-transfer directive:

options {

You can also encrypt zone transfers using TSIG. We cover its usage later in "DNS and Encryption: TSIG and DNSSEC."

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment