Free DNS Zone Transfer Test

Test whether your DNS zone transfers are properly restricted. DNS zone transfer vulnerabilities expose your complete DNS zone to anyone who asks.

No signup

Instant results

100% free

What Is DNS Zone Transfer?

DNS zone transfer (AXFR) is a mechanism for replicating DNS zone data between name servers. It's used by primary and secondary name servers to synchronize zone records. However, when misconfigured, zone transfers can be requested by anyone, not just authorized secondary servers. This exposes the complete DNS zone including all subdomains, mail servers, IP addresses, TXT records, and infrastructure details. Attackers use zone transfers for reconnaissance — mapping your entire network topology from a single DNS query. Every DNS security audit includes zone transfer testing as a fundamental check.

Why It Matters

An open zone transfer is a critical information disclosure vulnerability. It reveals your complete DNS infrastructure to attackers, enabling targeted attacks against specific subdomains, services, and IP ranges.

Common Mistakes

Leaving AXFR open to any IP address, not restricting zone transfers to authorized secondary name servers, using default BIND configurations that allow transfers, and not testing zone transfer restrictions after DNS infrastructure changes.

AXFR REQUEST

ACCEPTED

ZONE DUMP

EXPOSED

ZONE_ENGINE_V2

VULNERABLE

How It Works

Input Domain

Type the domain to test for zone transfer vulnerabilities.

Find Name Servers

We discover the authoritative name servers for the domain.

Attempt AXFR

We attempt a zone transfer (AXFR) request against each name server.

Report Results

If any server accepts the transfer, we report the vulnerability and exposed records.

Name Server Discovery

Automatically discovers all authoritative name servers for the target domain. Tests each name server individually since zone transfer policies may differ between servers in the same zone.

AXFR Vulnerability Test

Attempts DNS zone transfer (AXFR) requests against each discovered name server. Checks both standard and alternative transfer mechanisms that some misconfigured servers may accept.

Record Enumeration

If a zone transfer succeeds, we enumerate and report all exposed records including A, AAAA, MX, TXT, NS, CNAME, and SOA records. Shows the full scope of the information disclosure.

Multiple Transfer Types

Tests not just standard AXFR but also IXFR (incremental transfer) and alternative request formats. Some servers may block AXFR but incorrectly allow other transfer types.

Remediation Guidance

If a vulnerability is found, we provide specific remediation steps for common DNS server software including BIND, Microsoft DNS, PowerDNS, and cloud DNS providers.

False Positive Filtering

Distinguishes between genuine zone transfer success and error messages or partial responses that some servers return. Only reports confirmed vulnerabilities with verified data exposure.

Frequently Asked Questions

What is a DNS zone transfer?

A DNS zone transfer (AXFR) is a mechanism for copying the entire DNS zone from one name server to another. It's used to synchronize primary and secondary name servers. When misconfigured, anyone can request a zone transfer and receive all DNS records for the domain.

Why is an open zone transfer dangerous?

An open zone transfer exposes your complete DNS infrastructure including all subdomains, mail servers, IP addresses, TXT records with verification tokens, and internal service hostnames. Attackers use this for reconnaissance to plan targeted attacks against specific systems.

How do I fix an open zone transfer?

Restrict zone transfers to authorized secondary name servers only. In BIND, use the 'allow-transfer' directive with IP-based ACLs. In cloud DNS providers, disable zone transfer or restrict it to specific IPs. Never allow transfers from 'any' IP address.

Can I test zone transfer without being malicious?

Yes. Zone transfer testing is a standard, legitimate security audit practice. The DNS protocol allows anyone to query a name server's zone transfer policy. A properly configured server will deny the request. Testing your own domains is not only legal but recommended.

Does this tool modify any DNS records?

No. This tool only attempts to read DNS zone data via zone transfer requests. It does not modify, delete, or add any DNS records. It performs the same read-only queries that any DNS client or secondary server would perform.

Is this zone transfer test free?

Yes, this tool is 100% free with no signup required. For continuous zone transfer monitoring, automated vulnerability scanning, and infrastructure-wide DNS security auditing, upgrade to CyberFurl Pro.

Related Security Tools

DNS security validation

Need Continuous DNS Security Monitoring?

Automate zone transfer tests, monitor DNS configuration drift, detect open resolvers, and get alerted when DNS security vulnerabilities are introduced.

Start Free Trial View Pricing