← Back to All Scanners
Network & ProtocolMedium Severity

DNS Zone Transfer Scanner

Tests for unauthorized DNS zone transfer (AXFR).

Try This Scanner

What is DNS Zone Transfer?

DNS Zone Transfer (AXFR) is a mechanism for replicating DNS records between servers. When misconfigured to allow transfers to any requester, attackers can download complete zone files containing all DNS records—hostnames, IP addresses, mail servers, and other infrastructure details.

Why is This Important?

Zone transfer exposes your entire DNS infrastructure: all subdomains, internal hostnames, mail servers, and sometimes comments revealing sensitive information. This accelerates reconnaissance dramatically and may expose internal systems that should never be publicly known.

How It Works

1. Network Discovery

Scans and fingerprints network services, identifying open ports, protocols, and service versions.

2. Protocol Analysis

Tests protocol implementations for misconfigurations, weak encryption, and known vulnerabilities.

3. Infrastructure Assessment

Provides comprehensive network security posture with prioritized remediation recommendations.

Key Capabilities

Enterprise network security assessment covering infrastructure, protocols, and service configurations.

  • Comprehensive port and service discovery
  • Protocol-specific vulnerability checks
  • TLS/SSL configuration analysis
  • Legacy protocol detection and assessment
  • Network segmentation validation

Frequently Asked Questions

What information is exposed in a zone transfer?

Zone transfers reveal: all A/AAAA records (hostnames and IPs), MX records (mail infrastructure), NS records (nameserver hierarchy), TXT records (may contain sensitive data), CNAME records (service relationships), and sometimes comments with internal information.

How do I test for zone transfer vulnerability?

Use dig: 'dig @nameserver domain.com AXFR'. Tools like dnsrecon and dnsenum automate testing against all nameservers. If the transfer succeeds and returns records, the server is misconfigured. Properly configured servers reject AXFR from unauthorized sources.

Why is zone transfer allowed at all?

Zone transfer is legitimate for synchronizing secondary DNS servers with the primary. The vulnerability is allowing transfer to anyone. Properly configured servers only allow AXFR to specific secondary server IPs or require TSIG authentication.

How do I fix zone transfer vulnerabilities?

Configure allow-transfer to only include secondary nameserver IPs, implement TSIG keys for authenticated transfers, on cloud DNS services verify public transfer is disabled, and regularly audit DNS server configurations. Test after changes to verify restrictions work.

Related Scanners

TCP Port ScanningInfo
Learn more →
UDP Port ScanningInfo
Learn more →
Service FingerprintingInfo
Learn more →
TLS/SSL ConfigurationMedium
Learn more →

Ready to secure your application?

Start testing for dns zone transfer vulnerabilities today.

Get Started Free