What is a DNS Zone Transfer?
A zone transfer (AXFR) is a mechanism to replicate DNS databases across servers. While essential for DNS redundancy, allowing unauthorized zone transfers exposes your entire DNS structure.
Security Risks of Open Zone Transfers
- Information Disclosure: Reveals all subdomains and internal hostnames Reveals all subdomains and internal hostnames
- Attack Surface Mapping: Helps attackers identify targets Helps attackers identify targets
- Network Topology Exposure: Shows internal IP addresses Shows internal IP addresses
- Compliance Issues: May violate security policies May violate security policies
How to Secure Zone Transfers
- Restrict AXFR to authorized secondary nameservers only
- Use TSIG (Transaction Signatures) for authentication
- Configure firewall rules to block port 53 TCP from unauthorized IPs
- Regularly audit DNS server configurations
Frequently Asked Questions
Is zone transfer always bad?
No, zone transfers between your own authorized servers are necessary for DNS redundancy. Only unauthorized transfers are a security risk.
What if my test shows "vulnerable"?
Configure your nameserver to restrict AXFR requests to specific IP addresses or use TSIG authentication.