Help me secure my DNS server!

Before we begin, please make sure that you fully understand what it is you really want to fix. Which servers are affected and what role do they play in your network? Maybe they allow zone transfers for a reason? If you restrict zone transfers, will you break anything else?

AXFR was nearly universal at one time, but is now becoming less popular in favor of the use of other database replication mechanisms that modern DNS servers provide. Check the manual for the DNS server you're running and see if there is another solution that might suit you better. If you still prefer using AXFR and you're sure you won't break anything by restricting the requests to a limited number of machines, please read on.

How to restrict zone transfers using BIND?

In order to restrict zone transfers to one or several specific hosts, we will use the ACL option. This is specific in our named.conf and below is an example of how this can be done:

acl slaves {
        11.22.33.44;  // slave1
        44.33.22.11;  // slave2
};
zone example.com  {
        type master;
        file "zones/example.com";
        allow-transfer { slaves; };
};

This will reject all zone transfers that don't come from the addresses listed in our slaves list.
Instead, if you want to completely disable zone transfers, use:

zone example.com  {
        type master;
        file "zones/example.com";
        allow-transfer { none; };
};

This is actually recommended to do on your slave servers, since they're the last link in the chain. However, if you do this on the master server, the slaves won't be able to replicate data at all, which could lead to further problems.

How to restrict zone transfers using …?

Since we've only worked with the BIND DNS server, it's the only server we feel confident to provide support for. Though, this is covered on a lot of websites and chances are big it's even covered in the handbook for your DNS server. If you feel you can contribute with useful information here, feel free to contact us.