Stub zones and Zone transfers

I have noticed that anyone can create a stub zone of a primary zone, as long as they can contact the master server of the primary zone AND if Zone transfers are completely OFF or set to "Any Server"

How does Microsoft relate to this on the exam, do they acknowledge this fact?

Otherwise the same zone transfer rules apply as with secondary zones (to only name servers or only specific servers etc.). Obviously you would not use to only name servers for stub zones.

Btw, I am assuming that for stub zones to be automatically updated (which is why they are preferred over conditional forwards usually), zone transfers have to be set to "Any Server" or to specific servers? Or is my assumption wrong?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Lexluethar

Can't really go into any specifics on the exam - with that said if you want a stub zone or secondary zone to receive any zone information (records) you have to configure zone transfers on the primary zone. You can enable it by either saying only to servers on the name server tab, create a specific list or you can say transfer to any server that requests it (remember transfers are initiated by the stub / secondary zone server unless you specifically tell the primary to notify). So if you don't configure zone transfers on a primary zone any secondary or stub zone that was created to look at that primary zone will not get any records transferred to it.

Now if it is an Active Directory integrated primary zone and your stub zone is AD integrated (b/c secondary's can't be) zone transfers are a little different. When it is integrated into AD zone transfers don't happen and every zone is replicated out to each DC automatically (or given a few minutes of replication time).

Does that help? In short - in order for stub zones / secondary zones to receive any information you HAVE to set zone transfers on the primary by either saying any server, list of specific servers, or any name servers on the other tab. The server is a DC and has DNS installed if the primary zone / stub zone is AD integrated every DC gets that zone - no zone transfers required.

Dracula28

Thats whats strange about stub zones. You don't need to have zone transfers enabled on the primary zone, to be able to transfer the NS (and A records of the authoritative servers) to the stub zone.

Lets say you set up a standard primary zone called contoso.com on Server1. Then you go into the properties of the contoso.com zone and disable zone transfers.

Then if you try to create a secondary zone on Server2, and point it to contoso.com on Server1. You will not be able to load the secondary zone on Server 2.

But if you try to create a stub zone on Server2, and point it to contoso.com on Server1. The stub zone will load the NS (and glue) records just fine. Even if zone transfers on the primary zone are OFF. And if more NS records are added on the primary zone on Server 1, you can even update your stub zone to include those records, by initiating a zone transfer (which works just fine, even if zone transfers are OFF).

Thats what I am curious about, do MS acknowledge that this does occur, or do they mean that Zone transfers have to be ON, even if they actually don't have to be on for transferring NS records from primary to stub zones.

Dracula28

I guess the safe bet, for the exam, is to go by what the MS documentation says, and ignore what actually occurs in reality. Because the exam is based on MS documentation.

undomiel

Stub zones don't use zones transfers. They use standard queries to get their records. When you configure the zone it will send a request for the SOA and NS records and write those to the zone and then any other records that get requested for the zone get cached on the server. No zone transfer permissions required. The server checks on SOA updates and NS record updates periodically.

Dracula28

undomiel wrote: »

Stub zones don't use zones transfers. They use standard queries to get their records. When you configure the zone it will send a request for the SOA and NS records and write those to the zone and then any other records that get requested for the zone get cached on the server. No zone transfer permissions required. The server checks on SOA updates and NS record updates periodically.

Thanks, that clarifies it for me. I was wrong in my initial assumption of stub zones, and how they are kept up to date.

undomiel wrote: »

The server checks on SOA updates and NS record updates periodically.

Do you know how exactly this occurs? Is the refresh interval used, or are ther other mechanisms controlling the update process?

undomiel

You are correct, it refreshes based on the refresh interval of the SOA.