Compared to a modern BIND name server, the Microsoft DNS Server is short on security features, but you do have some options. In this section, we discuss how to prevent unauthorized zone transfers from your servers and how to "lock down" a name server that receives queries from other name servers on the Internet.
It's important to ensure that only the intended name servers?usually this means the secondary name servers listed in the zone's NS records?can transfer zones from your primary name server. Users on remote hosts that can query your name server's zone data can look up data (for example, addresses) only for hosts whose domain names they already know, one at a time. Users who can start zone transfers from your server can list all the hosts in your zones. It's the difference between letting random folks call your company's switchboard and ask for John Q. Cubicle's phone number and sending them a copy of your corporate phone directory.
You control which name servers can perform a zone transfer with settings on the Zone Transfers tab of the zone properties window (see Figure 11-4). You can allow any host to perform zone transfers, or only those name servers listed in the zone's NS records, or only a specific set of name servers you list by IP address.
For a primary name server accessible from the Internet, you definitely want to limit zone transfers to just authorized secondary name servers. You probably don't need to restrict zone transfers on name servers inside your firewall, unless you're worried about your own employees listing your zone data.
Some of your name servers answer nonrecursive queries from other name servers on the Internet because those name servers appear in NS records delegating your zones to them. We'll call these name servers delegated name servers. You can take special measures to secure your delegated name servers by disabling recursion.
Recall that by default, resolvers send recursive queries, and name servers do the work required to answer the queries. (If you don't remember how recursion works, refer to Chapter 2.) In the process of finding the answer to recursive queries, the name servers build up a cache of nonauthoritative information about other zones.
But for security reasons, you don't want delegated name servers to do the extra work required to answer a recursive query or to build up a cache of data. Answering recursive queries opens them up to a potential denial of service (DoS) attack: the Bad Guys can send these servers repeated recursive queries, making them do all kinds of unnecessary work. Answering recursive queries from just anyone is also a bad idea because of caching: the most common spoofing attacks involve inducing the target name server to query name servers under the Bad Guy's control by sending the target a recursive query for a domain name in a zone served by the Bad Guy's servers. The Bad Guys can force your name servers to cache known bad data in this way.
Disabling recursion on delegated servers eliminates these attack vectors. But to do so, you need to make sure these servers don't receive any legitimate recursive queries. Don't configure any resolvers to use these servers and don't list a nonrecursive name server as a forwarder. (When a name server is using another server as a forwarder, it sends the query to the forwarder as a recursive query instead of a nonrecursive query.)
You can induce the Microsoft DNS Server to run as a nonrecursive name server by checking the Disable recursion (also disables forwarders) box on the Advanced tab of the server properties window. By default, the name server supports recursion, and this box is unchecked. Disabling recursion doesn't break a delegated server because name servers send nonrecursive queries between themselves.