Internet Toolset

Comprehensive Tools for Webmasters, Developers & Site Optimization

Zone Transfer Tester

Zone Transfer Tester

Description & Best Practices

What This Tool Does: This tool retrieves the domain’s authoritative nameservers and then attempts a DNS zone transfer (AXFR) for each. A zone transfer is a process where a DNS server (usually a secondary server) downloads the entire zone file from a primary server. In a secure configuration, only authorized servers should be allowed to perform zone transfers.

Outcomes and Their Meanings:
- Successful Zone Transfer with a List of Records: This indicates a misconfiguration. If the tool is able to transfer the complete zone data, it means that unauthorized servers could potentially download your entire DNS zone, exposing all your subdomains and internal records. This is a serious security concern.
- Transfer Refused: If the nameserver explicitly responds with "Transfer refused" (or a similar message), this is the correct, secure behavior. It means the server is properly configured to block unauthorized zone transfers.
- EOF or Connection Closed (EOF Error): In many secure setups, the server may abruptly close the connection, resulting in an EOF error. This is also considered a secure response, indicating that the zone transfer was not allowed.
- Other DNS Exceptions (e.g. NXDOMAIN, NoAnswer): These errors indicate that the domain might not exist, lacks the necessary DNS records, or simply does not support zone transfers. These outcomes help you diagnose potential issues.

Best Practices for Zone Transfers:
- Restrict Zone Transfers: Ensure that your primary DNS server only allows zone transfers to trusted secondary servers. Unauthorized zone transfers can reveal sensitive information about your network.
- Monitor DNS Configuration: Regularly check your DNS settings and configure your firewall to limit access to zone transfer requests.
- Use Dedicated Tools for Security: While this tester provides a quick check, consider using dedicated DNS security tools for comprehensive monitoring and alerts.

Example Output:

Zone Transfer Results for example.com (NS: ns1.example.com):
example.com. 3600 IN A 192.0.2.1
www.example.com. 3600 IN A 192.0.2.1
mail.example.com. 3600 IN A 192.0.2.2
example.com. 86400 IN MX 10 mail.example.com.
_sip._tcp.example.com. 3600 IN SRV 10 60 5060 sipserver.example.com.

Or, if secure: "Zone transfer failed: Transfer refused" or "Zone transfer failed: EOF" (connection closed).


If you see a "Transfer refused" message or an "EOF" error, rest assured that your nameservers are correctly restricting zone transfers.