nslookup = zone transfer ?

Viewing 1 post (of 1 total)
  • Author
  • Avatar

    I’ve noticed for quite a while that my AD DC DNS servers refuse nslookup queries against AD integrated zones. “Query refused”. I had assumed all along that this was a security mechanism. Fine.

    BTW, the query I’m using in nslookup command line mode is ls -d contoso.com which means “List all records in the contoso.com zone”

    I performed a little more exploring recently. On my AD DC DNS server, I created a primary zone as a test. I fully expected to be able to pull nslookup queries from this zone. To my surprise, I still got the “Query refused” message.

    Next I went to a non AD DC Windows 2003 server running DNS. This DNS server already had a few primary and secondary zones on it. Running nslookup from the console of this server against a primary zone in its local DNS database provided a slightly different error. Something to the effect that the zone transfer failed and was and I should check the zone transfer settings for the zone.

    So then I checked the zone transfers configuration. No zone transfers allowed. I enabled zone transfers and I was then able to perform nslookup queries.

    So then I go back to my original AD DC DNS server and configure one of the AD integrated zones to allow zone transfers to my machine. From my machine, I can now query DNS records in the AD integrated zone using nslookup.

    So the question is, does performing queries using nslookup constitute a zone transfer (of queried records) from the DNS server’s perspective to the machine performing the nslookup? It would appear so.


Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.