DNS Zone Transfer (AXFR) Security Tester

Test if zone transfers are improperly exposed - a critical DNS security vulnerability

Quick Examples

What is DNS Zone Transfer (AXFR)?

DNS Zone Transfer (AXFR) is a mechanism for replicating DNS zone data between authoritative nameservers. When configured properly, it allows secondary nameservers to maintain synchronized copies of zone data from primary servers. However, if AXFR is misconfigured to allow transfers from any source, it becomes a serious security vulnerability. Attackers can download your entire DNS zone, revealing all subdomains, internal hostnames, IP addresses, and infrastructure details that should remain private.

Security Implications

Information Disclosure

High

Entire DNS zone exposed, revealing all subdomains, internal hostnames, IP addresses, mail servers, and infrastructure topology.

Provides attackers with complete map of your DNS infrastructure

Reconnaissance for Attacks

High

Leaked zone data enables targeted attacks on discovered internal systems, dev/staging environments, and admin interfaces.

Significantly increases attack surface and enables focused exploitation

Subdomain Enumeration

Medium

Discovery of hidden subdomains like admin.example.com, staging.example.com, vpn.example.com that attackers can target.

Exposes systems intended to be hidden from public knowledge

Internal IP Exposure

Medium

Private IP addresses and internal network topology revealed through zone records.

Helps attackers understand internal network architecture

Understanding Test Results

Vulnerable: Zone transfer succeeded

The nameserver allowed unrestricted zone transfer and returned DNS records. This is a critical security vulnerability.

Action: Immediately restrict AXFR to authorized secondary nameservers only

Secure: Transfer refused

The nameserver properly rejected the zone transfer request. This is the correct configuration for public queries.

Action: No action needed - nameserver is properly configured

Error: Query failed

Could not complete the AXFR test due to timeout, connection failure, or other error. Nameserver may be unreachable.

Action: Verify nameserver is functioning properly

Proper AXFR Configuration

BIND

Restrict transfers to specific IP addresses of secondary nameservers

zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com";
    allow-transfer {
        192.0.2.1;    // Secondary NS IP
        203.0.113.5;  // Another authorized secondary
    };
};

NSD

Explicitly list authorized IPs for zone transfers

zone:
    name: "example.com"
    zonefile: "example.com.zone"
    provide-xfr: 192.0.2.1 NOKEY
    provide-xfr: 203.0.113.5 NOKEY

PowerDNS

Configure allowed transfer IPs in configuration or database

allow-axfr-ips=192.0.2.1,203.0.113.5
# Or in SQL zone metadata:
INSERT INTO domainmetadata (domain_id, kind, content)
VALUES (1, 'ALLOW-AXFR-FROM', '192.0.2.1');

Microsoft DNS

Use GUI to restrict transfers to specific servers only

Right-click zone → Properties → Zone Transfers:
☑ Allow zone transfers
  ○ Only to servers listed on the Name Servers tab
  ○ Only to the following servers: [Add IPs]
  ☐ To any server

Fixing AXFR Vulnerabilities

1

Identify Vulnerable Nameservers

Use this tool or manual dig commands to test all authoritative nameservers

dig @nameserver.example.com example.com AXFR
2

Configure Transfer Restrictions

Edit nameserver config to allow transfers only from secondary NS IP addresses

allow-transfer { 192.0.2.1; 203.0.113.5; };
3

Reload DNS Configuration

Apply configuration changes and reload the nameserver

rndc reload (BIND) or service nsd reload (NSD)
4

Verify Fix

Test from external IP to confirm AXFR is now refused, and from secondary to confirm authorized transfers still work

dig @nameserver.example.com example.com AXFR
5

Implement TSIG

Add TSIG keys for cryptographic authentication of zone transfers

tsig-keygen -a hmac-sha256 transfer-key

DNS Security Best Practices

Restrict Zone Transfers

Critical

Only allow AXFR from authorized secondary nameservers. Never allow unrestricted transfers.

Use TSIG Authentication

High

Implement TSIG (Transaction Signature) for authenticated zone transfers between servers.

Regular Security Audits

High

Periodically test your nameservers for AXFR vulnerabilities using tools like this one.

Minimize Public DNS Records

Medium

Don't publish internal hostnames or private infrastructure details in public DNS zones.

Split-Horizon DNS

Medium

Use separate internal and external DNS zones. Internal zone contains private records, external only public ones.

Monitor DNS Query Logs

Medium

Log and monitor AXFR requests to detect unauthorized transfer attempts.