How valuable? They can get a list of all your DNS records, which can expose lots of juicy details about your servers.
BIND, one of the most popular DNS servers on the Internet, can be found as the default DNS server for many Linux and UNIX distributions. As such, it is important to determine how to handle zone transfers on that platform as well.
BIND’sprimary configuration takes places in the /etc/named.conf file for BIND 8 and 9 (/etc/named.boot for BIND 4, which you should consider upgrading if you are still running). This is a text file with a number of directives that control how BIND will respond to various situations. BIND’s default configuration, like Win2K’s and WinNT’s, allows a zone transfer to take place from anywhere.
To secure your BIND server, you must open the /etc/named.conf (or /etc/named.boot) file in a text editor and find the line marked “allow-transfer { any; };” which indicates that any IP address is allowed to get zone information. In this example, I want to allow zone transfers to take place only between my Red Hat 8 server, my Windows NT server with IP address 192.168.1.4, and another server with IP address 172.16.1.5. Therefore, I will change the allow-transfer line to read like the following:
allow-transfer{192.168.1.4; 172.16.1.5; };
Zoneedit allows you to restrict zone transfers to specific IPs under its Security Settings. This is extremely useful if you do not wish to disclose more information about your pointing.
Zone Transfer