Which DNS security practice prevents zone data leakage?

Zone data leakage happens when the full DNS zone file is copied to servers that shouldn’t have it. A DNS zone transfer is the process that copies this data from the master server to secondary servers. If zone transfers are allowed to any host, or to untrusted partners, the entire zone content—subdomains, records, and mappings—can be exposed. Restricting zone transfers to only authorized secondary servers (and typically securing that transfer with authentication like TSIG) limits who can receive the zone data, effectively preventing unintended disclosure of the zone information. Hardening DNS servers helps overall security but doesn’t specifically stop the exposure of zone data. Split-horizon operation serves different responses to internal vs. external clients, which is about access control and perception of data rather than preventing the leakage itself. Subnet diversity improves resilience and availability, not data leakage prevention.