Open AXFR: Your Nameserver Handing Out the Whole Zone
Open AXFR: Your Nameserver Handing Out the Whole Zone sits in the DNS Resilience risk register because a small configuration shortcut can widen access, weaken control boundaries, or hide failure conditions. The risk usually starts with bIND9's zone transfer behaviour depends entirely on operator configuration, and the common shortcut during initial setup is to omit allow-transfer from the zone or In production, the concern is any host on the internet can run dig axfr domain.com @ns1.domain.com
The Trap
Unrestricted AXFR (full zone transfer) on authoritative DNS servers, where the allow-transfer clause in named.conf is either absent or explicitly set to any.
The Default State
BIND9’s zone transfer behaviour depends entirely on operator configuration, and the common shortcut during initial setup is to omit allow-transfer from the zone or options block entirely, or to set it to { any; } so secondaries never fail to sync during testing. Once the zone goes live, nobody revisits that clause. PowerDNS and Microsoft DNS carry the same risk when zone transfer restrictions aren’t paired with TSIG or IP ACLs, and many managed DNS providers leave AXFR enabled on the primary by default because it’s assumed only secondaries will ever ask.
The Blast Radius
Any host on the internet can run dig axfr domain.com @ns1.domain.com and receive the entire zone file in one TCP/53 response: every subdomain, every internal hostname, every VPN concentrator, staging environment, mail exchanger, and forgotten legacy A record. This isn’t guesswork reconnaissance against a wordlist; it’s a complete, authoritative inventory of the attack surface handed over unauthenticated. Attackers use it to identify unpatched staging servers still resolving to production IP ranges, to enumerate internal naming conventions for spear-phishing pretexts, and to spot split-horizon leakage where internal-only records were accidentally published externally. Combined with a subsequent SOA/NS enumeration, it also reveals which secondary servers exist, widening the target list for a follow-on transfer attempt or cache-poisoning window. The exposure is silent: standard query logging rarely distinguishes a legitimate secondary’s AXFR from a hostile one unless transfer-specific logging is enabled.
The Lead Mechanic Fix
Lock transfers to an explicit ACL keyed on TSIG, not IP alone, since IPs are trivially spoofable for UDP but transfers ride TCP where source validation still matters less than key-based auth. Generate a shared secret with tsig-keygen transfer-key, then in named.conf: acl secondaries { key transfer-key; }; options { allow-transfer { !any; secondaries; }; };, applying the same override per-zone if any zone historically had a laxer setting. Verify with dig axfr domain.com @ns1.domain.com from an unauthenticated host and confirm it returns Transfer failed. For split-horizon estates, additionally set allow-query separately from allow-transfer so recursive lookups aren’t accidentally blocked while transfers are locked down. Firewall TCP/53 at the network layer as defence-in-depth, and enable logging { channel xfer-log { category xfer-out; }; }; to alert on any transfer attempt from outside the secondaries ACL.