Which statements about a zone transfer are correct?

• A. A zone transfer is accomplished with DNS, passes all zone information that a DNS server maintains, and can be prevented by blocking all inbound TCP port 53 connections.
• B. A zone transfer uses UDP only and cannot be blocked by firewalls.
• C. Zone transfers share only a portion of zone data and are hard to block.
• D. Zone transfers occur without any DNS involvement.

Answer: (A)

Zone transfers are a DNS mechanism for replicating zone data from one DNS server to another. In a full transfer (AXFR), the transfer includes all resource records for the zone, which is why a zone transfer can reveal the entire zone’s information to the receiving server. These transfers happen using the DNS protocol over TCP port 53 to ensure reliable delivery; blocking inbound TCP traffic on port 53 can prevent them, which is a common defense in securing DNS servers. Normal DNS queries use UDP on port 53, but the actual transfer of zone data relies on TCP, so blocking that TCP path stops the transfer. Zone transfers involve DNS, and they can be restricted or blocked with appropriate firewall rules, unlike options that imply UDP-only transfers, no DNS involvement, or partial data transfers.