Although this is usually an implementation problem, the NetMAX has implemented it incorrectly. By default, you should only allow local machines to perform zone transfers, and not the other way around.

The following modifications will disable zone transfers from remote machines:

From Home|Network|Domains, click on the pencil icon next to each domain name, and specify at least one network under "Networks allowed to perform Zone Transfers".

To not allow any other machines to perform zone transfers, specify 127.0.0.1/32.

If you have a NetMAX product that doesn't have this option (a DNS server), you'll need to edit your /etc/named.boot file by adding an allow-transfer option:

Change these lines:

options {
    directory "/etc/namedb";
    // need the next line for old nslookups (ie. SunOS):
    fake-iquery yes;
    forwarders {
        #.#.#.#;
    };
    query-source address * port 53;
    min-roots 1;
    named-xfer "/bin/true";
};

To read:

options {
    directory "/etc/namedb";
    // need the next line for old nslookups (ie. SunOS):
    fake-iquery yes;
    forwarders {
        #.#.#.#;
    };
    query-source address * port 53;
    min-roots 1;
    named-xfer "/bin/true";
    allow-transfer {
        127.0.0.1/32;
    };
};

Please click here to read the knowledge base article explaining what you have to do to prevent NetMAX from overwriting custom configurations.

These changes will only allow local machines to perform DOS attacks against your DNS server.

This issue has been addressed in version L2.2Pv3.1. We recommend upgrading to the most current version as an alternative to making changes to your NetMAX. The issues resolved in this version are:

1. Included a new version of BIND that corrects the buffer overflow problem that may cause BIND to crash from this type of DOS attack.
2. Ensure that the default policy is to not allow zone transfers.