Learn how to a build a cloud-first strategyRegister Now


What is a DNS Zone Transfer?

Posted on 2006-05-03
Medium Priority
Last Modified: 2010-04-11
Can anyone pleease tell me what a DNS zone transfer is, and why anyone would want to make one?

Question by:bmaxwell
LVL 57

Expert Comment

ID: 16602435
A DNS zone is a basically all the hosts for a specific IP domain name.  When you setup a DNS server, you normally have two DNS servers.  One is the primary, the other is a secondary (you can have one or more secondaries).  When you add/delete/change an entry in a zone you do it on the primary.  

The infromation must get to the secondary some how.  When you update the zone on the primary you need to update what is called the serial numbe., if you use a GUI interface this is generally done automatically for you, if you manually edit the file you need to do this.  A secondary will ask the primary what the current serial number is.  If the primary responds with a number that is higher than what the secondary has, this means there has been an update to the zone and the secondary asks to have a new copy of the zone.  This is called a zone transfer.
LVL 26

Expert Comment

by:Leon Fester
ID: 16603848
DNS Zone transfers can be used by unethical people to spoof/steal you IP's. Effectively I could redirect all requests to your server and instead send those requests to my fake servers. End result being...I get all your data.

Consider an e-commerce site, being stolen like this.

Now you understand why somebody would do it.

Another time you would use it is if your DNS zones are hosted by ISP1, you decide that you're rather have ISP2 look after your DNS Zone. They would then also have to do a DNS Zone Transfer.

Accepted Solution

e_vanheel earned 1000 total points
ID: 16615316
A zone transfer is the replication of the DNS database from the Primary zone to the secondary zone(s).  It is used for load balancing and fault tolerance.

Load balancing - if Microsoft.com had 1 DNS server it would have to respond to all requests for that domain - you create many secondary zones to improve performance

Fault tolerance - if your primary goes down the secondary server will still resolve DNS requests for a period of time.  You can promote the secondary to a primary if the primary will not be coming back.

The only real difference between the primary and secondary is: the primary is a "writable" copy of the DNS zone database and it replicates its copy to the secondary "read-only" copy of the DNS zone.

Hope that answered your questions.

Author Comment

ID: 16623831
Thanks for your help.  You know, it may sound very korny and square, but only one person told me "Hope that answers your question".  To some people, those words mean absolutely nothing.  I know, it's not really necessary to say.  But to me, it tells me that the person sincerely wanted to help me, because in the end, he/she told me so.  Now, I am absolutely, positively sure that all others also want to help, or they would not have responded.  But sometimes, the words "I hope that helps you" or something to that effect, sort of adds the right kind of closure to a person's problem.  I'm sure I need to "get a life", but I'm also sure someone out there agrees with me too.  Thanks to all for your help.

LVL 57

Expert Comment

ID: 16624999
I really don't care about the points, but I do care about helping and following the rules so I am not complaining, I am point out what the "rules" are.

Based on your statement it seem that the only reason you e_vanheel's comment (which is correct) over mine is because he said "Hope that answers your question"?  

If is, please note that according to the "rules" you are are supposed to accecpt the 1st correct answer (see http://www.experts-exchange.com/help.jsp#hi68) and in the case where there are mutliple correct answers that may provide a slighlty different  information then you can accecpt multiple answers and split the points.   With multiple correct answers it may be that you have a multiple part questions (like you have what is and why) and one comment will answer one part and another comment will answer another part.  The main point for EE is to get answers to questions, not to be super polite while doing it.

If you accecpted his answer over mine and felt that I did not even deserve an assit, could you please explain why my comments did not answer your question so that I may imporve the way I answer questions in the future, As, IMHO, my answer does correctly descibe what a zone tranfer is and infers why you would want to do it.

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question