Skip to content
SMTPDoctor

SEC-02 / SECURITY

AXFR Checker

Test whether a domain's nameservers allow unauthorized DNS zone transfers — a real, if now rare, misconfiguration.

About the AXFR Checker

A DNS zone transfer (AXFR) is meant to sync records between your own nameservers — but if a server allows anyone to request one, it hands over your entire DNS zone, exposing every host you have. This tool actually attempts a transfer against each nameserver to test whether they're locked down.

What this tool checks

It finds your domain's nameservers and sends a real AXFR request to each over TCP port 53, reporting whether the transfer is refused (secure) or allowed (a serious exposure).

What a good result looks like

Nearly all correctly configured nameservers refuse public AXFR requests — that's the secure, expected outcome. If any server allows the transfer, restrict zone transfers to authorized secondary servers immediately.

Frequently asked questions

What is a DNS zone transfer?

A zone transfer (AXFR) copies all records in a DNS zone from one nameserver to another. It's a legitimate replication mechanism, but should only be allowed between your own authorized servers.

Why is an open zone transfer dangerous?

It lets anyone download your complete DNS zone — every subdomain, mail server, and internal host you've published. That's a detailed map of your infrastructure handed to potential attackers.

How do I fix an exposed zone transfer?

Restrict AXFR to specific authorized secondary nameserver IPs in your DNS server configuration, or disable transfers entirely if you don't use secondaries. Most managed DNS providers block public AXFR by default.