Which practice best prevents unauthorized access to DNS data?

Preventing unauthorized access to DNS data hinges on controlling zone transfers, which copy the entire zone from a primary DNS server to secondary servers. If these transfers are allowed from any host, an attacker could pull the complete zone file and learn every subdomain, record, and mapping, effectively exposing the DNS namespace. By restricting zone transfers to a defined set of trusted secondary servers and authenticating those transfers (for example, with TSIG), you ensure that only approved servers receive the zone data, dramatically reducing the risk of leakage. Relying on TLS for DNS addresses confidentiality of individual queries in transit but doesn’t stop someone from obtaining the full zone data during transfers or from accessing stored zone information on servers, so it’s not as effective for preventing this kind of unauthorized access. Using caching alone doesn’t prevent access to the underlying zone data either.