Dec 311998

DNS – restricting zone transfers

When you provide DNS, you are giving out a lot of information.  It can give a hacker a great deal of information.  Just by using a simple tool like nslookup, you can accomplish a zone transfer.  To restrict your zone transfers to specified IP addresses, use the boot file directive xfrnets.

For BIND 4

The following is an extract from man named:
The ``xfrnets'' directive  (not  shown)  can  be  used  to
implement  primitive access control.  If this directive is
given, then your name server will only answer zone  trans-
fer  requests  from  hosts which are on networks listed in
your ``xfrnets'' directives.  This directive may  also  be
given as ``tcplist'' for compatibility with older, interim

Here’s what I added to my /etc/named.boot file (well, I used a different IP address):


This states that zone transfers can be accepted from

Points to note:

  • You can include more than one IP adddress per line, separated by white space.
  • You can have more than one xfrnets directive per file.
  • Don’t put any white space between the IP address and the mask


Under BIND 8, you should use something like this:
options {
	allow-transfer {;;};

Or you can restrict certain zones to certain addresses:

zone "" {
	type master;
	file "db.yourdomain";
	allow-transfer {; };

In both cases, multiple IP addresses can be added each ending with a semi-colon (‘;’).   An adress range can be specified using the "192.168/16" type of format.   The "/16" is a netmask and would allow any zone transfers from the network.