Q&A: Can I Disallow DNS Zone Transfers?

Knowledge Base Community
, , ,
#1

Question

Can I disallow DNS zone transfers?

Environment

In UCS by default a zone transfer from any of the UCS servers to any clients is allowed. This can be seen as a security risk.

Answer

When all servers in the UCS domain use samba4 as DNS backend (dns/backend=samba4) you can disallow the zone transfer by
ucr set dns/allow/transfer=none

On host which use ldap as DNS backend (ucr set dns/backend=ldap) you should not disallow the zone transfer.

To reduce security risks a bug has been created.

Unable to disable zone transfers on Master or Backup servers
Mastodon