Secure Zone Transfers with IPsec
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Use the following procedure to configure an IP Security (IPsec) rule to secure communications between two DNS servers. When applied to the primary and secondary DNS servers for a zone, this policy will protect updates occurring by zone transfer from the primary to the secondary DNS server. By applying this policy, zone transfers are not allowed unless both servers are domain members and have matching connection security rules. The policy is configured to apply to zone transfers between IP addresses specified on the Zone Transfers tab. For more information, see Restrict Zone Transfers.
To use the following procedure, primary and secondary DNS servers must be running Windows Server® 2008 or Windows Server® 2008 R2.
Membership in the Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Configuring IPsec policy
In the following procedure, IPsec policy is deployed to a single primary or secondary DNS server using local Group Policy. Complete the following procedure once on the primary DNS server and once on the secondary DNS server that will send or receive zone transfers, respectively. If you wish to deploy IPsec policy to a group of computers, use a domain Group Policy Object (GPO) with a custom OU or security group.
To use Kerberos authentication, both the primary and secondary DNS servers must be domain controllers or have a connection to Active Directory. Do not use Kerberos authentication to secure a connection between a member server and its domain controller. To secure zone transfers between a member server and its domain controller, use NTLMv2.
To configure IPsec policy using the Windows interface
On the primary or secondary DNS server, click Start, click Run, type gpedit.msc, and then press ENTER. The Local Group Policy Editor will open.
In the console tree, open Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security – Local Group Policy Object.
Right-click Connection Security Rules, and then click New Rule. The New Connection Security Rule Wizard will open.
On the Rule Type page, choose Custom, and then click Next.
On the Endpoints page, choose These IP addresses for endpoint 1, click Add, choose This IP address or subnet, enter the IP address on this computer that is used to send or receive zone transfers, and then click OK. If necessary, repeat this step for each IP address used by this computer to send or receive zone transfers.
On the Endpoints page, choose These IP addresses for endpoint 2, click Add, choose This IP address or subnet, enter the IP address on the remote computer that is used to send or receive zone transfers, and then click OK. If necessary, repeat this step for each IP address used by a remote computer to send or receive zone transfers. Click Next to continue.
On the Requirements page, choose Require authentication for inbound and outbound connections, and then click Next.
On the Authentication Method page, choose Computer (Kerberos V5), and then click Next.
If this connection security rule will affect communication with the domain controller, choose Advanced, click Customize, and then add Computer (NTLMv2) under First authentication instead of choosing Kerberos.
On the Protocol and Ports page, next to Protocol type, verify Any is selected, and then click Next.
On the Profile page, verify that the Domain, Private and Public check boxes are selected, and then click Next.
Type a name and description for the rule. Use a name that will be easy to recognize, for example, Zone Transfer Rule, and then click Finish.