Skip to main content
cd ../config-traps
risk/register/open-axfr-your-nameserver-handing-out-the-whole-zone.html
DNS Resiliencehigh severityBIND9 / DNS

Open AXFR: Your Nameserver Handing Out the Whole Zone

Overview

Nameservers left with allow-transfer absent or set to any hand out complete zone dumps via a single dig axfr query. Every subdomain, internal hostname, VPN endpoint, staging server, and mail exchanger becomes visible to any unauthenticated party, handing attackers a ready-made reconnaissance map with no logging distinction from legitimate secondary syncs.

At a glance

Unsafe setting
allow-transfer clause missing or set to { any; } on authoritative zones
Failure trigger
Unauthenticated dig axfr query against the primary or any misconfigured secondary nameserver
Blast radius
Full zone contents exposed: internal hosts, staging systems, VPN gateways, mail servers, and naming conventions for phishing pretexts.
Recommended control
Restrict allow-transfer to a TSIG-keyed ACL, deny any, firewall TCP/53, and log xfer-out attempts

Fix commands and configuration

tsig-keygen transfer-key
named.conf
acl secondaries { key transfer-key; }; options { allow-transfer { !any; secondaries; }; };

The Trap

Unrestricted AXFR (full zone transfer) on authoritative DNS servers, where the allow-transfer clause in named.conf is either absent or explicitly set to any.

The Default State

BIND9’s zone transfer behaviour depends entirely on operator configuration, and the common shortcut during initial setup is to omit allow-transfer from the zone or options block entirely, or to set it to { any; } so secondaries never fail to sync during testing. Once the zone goes live, nobody revisits that clause. PowerDNS and Microsoft DNS carry the same risk when zone transfer restrictions aren’t paired with TSIG or IP ACLs, and many managed DNS providers leave AXFR enabled on the primary by default because it’s assumed only secondaries will ever ask.

The Blast Radius

Any host on the internet can run dig axfr domain.com @ns1.domain.com and receive the entire zone file in one TCP/53 response: every subdomain, every internal hostname, every VPN concentrator, staging environment, mail exchanger, and forgotten legacy A record. This isn’t guesswork reconnaissance against a wordlist; it’s a complete, authoritative inventory of the attack surface handed over unauthenticated. Attackers use it to identify unpatched staging servers still resolving to production IP ranges, to enumerate internal naming conventions for spear-phishing pretexts, and to spot split-horizon leakage where internal-only records were accidentally published externally. Combined with a subsequent SOA/NS enumeration, it also reveals which secondary servers exist, widening the target list for a follow-on transfer attempt or cache-poisoning window. The exposure is silent: standard query logging rarely distinguishes a legitimate secondary’s AXFR from a hostile one unless transfer-specific logging is enabled.

The Lead Mechanic Fix

Lock transfers to an explicit ACL keyed on TSIG, not IP alone, since IPs are trivially spoofable for UDP but transfers ride TCP where source validation still matters less than key-based auth. Generate a shared secret with tsig-keygen transfer-key, then in named.conf: acl secondaries { key transfer-key; }; options { allow-transfer { !any; secondaries; }; };, applying the same override per-zone if any zone historically had a laxer setting. Verify with dig axfr domain.com @ns1.domain.com from an unauthenticated host and confirm it returns Transfer failed. For split-horizon estates, additionally set allow-query separately from allow-transfer so recursive lookups aren’t accidentally blocked while transfers are locked down. Firewall TCP/53 at the network layer as defence-in-depth, and enable logging { channel xfer-log { category xfer-out; }; }; to alert on any transfer attempt from outside the secondaries ACL.