DNS Zone Transfer Test (AXFR)

Check whether a domain's nameservers allow an AXFR zone transfer. An open zone transfer hands your entire DNS zone to any anonymous client - every host, subdomain, and internal record - so it is treated as a serious misconfiguration. We query each authoritative nameserver and report whether the transfer is refused (secure) or allowed (vulnerable).

Only public nameservers are contacted. We attempt a standard AXFR query over TCP/53; nothing is modified.

What is a DNS zone transfer (AXFR)?

A DNS zone transfer is a bulk copy of every record in a DNS zone from a primary nameserver to a secondary. The full-transfer query type is AXFR (RFC 5936), and it runs over TCP port 53. It exists so that backup nameservers stay in sync - it is meant to be restricted to a small list of authorized secondary servers, never offered to the public.

Why is an open zone transfer a security risk?

When a nameserver answers AXFR for anyone, it hands over a complete map of the domain in a single request: every subdomain, mail server, internal hostname, and IP. That is reconnaissance gold for an attacker. The main risks are:

  • Full attack-surface disclosure - staging, admin, VPN, and dev subdomains that were never meant to be public become visible.
  • Internal network mapping - internal IPs and host naming conventions leak, aiding lateral movement.
  • Targeted phishing and spoofing - mail and service records make convincing impersonation easier.
  • Faster exploitation - no slow brute-force subdomain enumeration is needed; the attacker gets the whole list at once.
  • Compliance findings - open AXFR is a standard penetration-test and audit flag.

How do I fix or prevent open zone transfers?

Restrict AXFR to known secondaries and authenticate the transfer. Concretely:

  1. In BIND, set allow-transfer { none; }; globally and grant it only to specific secondary IPs per zone.
  2. Authenticate transfers with TSIG (RFC 8945) shared keys between primary and secondary.
  3. Filter inbound TCP/53 at the firewall to your secondary nameservers only.
  4. Re-test with this tool (and dig AXFR @ns example.com) until every nameserver reports refused.

How this test works

We resolve the domain's NS records, resolve each nameserver to its public IP, and send a standard AXFR query to each over TCP/53. If a server returns the zone, we flag it as vulnerable and show the leaked records; if it refuses (the normal response), we report it as secure. We never modify any DNS data, we cap the number of nameservers and records, and we contact only public IPs. A good test domain is zonetransfer.me, which is intentionally left open for demonstration.

Last reviewed: Reviewed by the

How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.

Related Tools

Explore these related tools to get more insights and complete your analysis:

IP Lookup

Enter any IP address to instantly find its geographic location, ISP, hostname, and organization. Our IP lookup tool provides accurate geolocation data worldw...

DNS Lookup

Check DNS records for any domain instantly. Our free DNS lookup tool queries authoritative nameservers to show A, AAAA, MX, TXT, NS, SOA, and CNAME records.

WHOIS Lookup

Look up WHOIS data for any domain to see registration details, nameservers, registrar information, creation and expiration dates, and contact information.

SSL Certificate Checker

Check any website's SSL/TLS certificate. View expiration date, issuer, certificate chain, supported protocols, and get a security grade with recommendations.

Port Scanner

Scan any host to discover open ports and identify running services. Essential for security audits, firewall testing, and network troubleshooting.