Documentation

What is a DNS Zone Transfer exposure

What is a DNS zone transfer?

A DNS zone transfer (AXFR) is a mechanism that allows one DNS server to replicate its complete database of records to another DNS server. This is a legitimate and necessary operation in infrastructure where a primary nameserver needs to keep secondary nameservers in sync.

The problem arises when a nameserver is misconfigured to respond to zone transfer requests from any IP address, rather than only from trusted secondary nameservers. This is called an open zone transfer and it is an information disclosure vulnerability.

Why is it a risk?

A successful AXFR response hands an attacker a complete map of your domain:

  • Every subdomain (including internal and staging environments you may not want publicised)
  • Every IP address those subdomains resolve to
  • Mail server records, SPF and DKIM records
  • Internal service names and infrastructure topology

This dramatically reduces the reconnaissance effort for a targeted attack. Subdomains that are not publicly linked — and that you may have forgotten about — are instantly revealed. Old, unpatched servers and forgotten admin interfaces become visible attack surface.

What to do

Step 1 — Check if your nameservers are vulnerable

Test each of your authoritative nameservers:

dig axfr yourdomain.com @ns1.yourdomain.com
dig axfr yourdomain.com @ns2.yourdomain.com

If you receive a full list of DNS records in the response, your nameserver is allowing open zone transfers. If you receive Transfer failed or REFUSED, you are safe.

Step 2 — Restrict zone transfers at the nameserver level

BIND (named.conf):

zone "yourdomain.com" {
    type master;
    file "/etc/bind/db.yourdomain.com";
    allow-transfer { 192.0.2.53; };  // only your secondary nameserver IP
};

Windows DNS Server:

In DNS Manager → right-click the zone → Properties → Zone Transfers tab → enable "Only to the following servers" and list your secondary nameservers.

Cloud DNS providers (Cloudflare, AWS Route 53, Google Cloud DNS):

Modern managed DNS providers do not expose AXFR to public clients at all. If you are using a managed provider and still seeing zone transfers succeed, contact your provider's support.

Step 3 — Audit what was exposed

Once fixed, review the records that were (or would have been) exposed and identify any subdomains or services that should not be public-facing. Take action to harden or decommission those services.

Key point

Restricting zone transfers does not hide your DNS records from a patient attacker — they can still enumerate subdomains via brute-force or passive DNS databases. But it removes the ability to do so instantly and completely, significantly raising the cost of reconnaissance.

Last updated: March 28, 2026