Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Zone Transfer

Training Camp • Cybersecurity Glossary

What is Zone Transfer?

The DNS replication of zone records from a primary to secondary servers (AXFR/IXFR); if left unrestricted it leaks internal hostnames to attackers for reconnaissance.

Glossary > Network Security > Zone Transfer

Zone Transfer — The DNS replication of zone records from a primary to secondary servers (AXFR/IXFR)

Understanding Zone Transfer

A zone transfer is the process of replicating a DNS zone's records from a primary (master) name server to one or more secondary (slave) servers. It keeps secondaries synchronized with the authoritative data, ensuring consistent name resolution and providing redundancy and load distribution if the primary becomes unavailable.

Transfers come in two forms. AXFR is a full zone transfer that copies the entire zone, while IXFR (RFC 1995) is an incremental transfer that sends only the records changed since the secondary's last update, reducing bandwidth. A secondary typically polls the primary's SOA serial number; when it sees a higher serial, it requests a transfer over TCP port 53. Modern deployments authenticate these requests cryptographically with TSIG (transaction signatures) and restrict them by ACL.

Zone transfers matter for security because the same mechanism that legitimately synchronizes servers can leak the entire internal namespace if left open. An unrestricted server will hand its full zone — hostnames, IP addresses, mail and service records — to anyone who asks, giving attackers a detailed map of internal systems for reconnaissance and targeting. Restricting transfers to authorized secondaries and authenticating them is therefore a standard hardening step. DNS security guidance appears in NIST SP 800-81, and DNSSEC adds authenticity to the records themselves.

For example, an attacker probing a target might run `dig axfr example.com @ns1.example.com`. If the server is misconfigured to allow transfers from any host, it returns the complete zone, revealing internal server names like `vpn`, `mail`, and `dev` and their addresses. A properly hardened server instead permits AXFR only to its designated secondaries, validates each request with TSIG, and logs and alerts on unauthorized attempts, denying the attacker that reconnaissance.

Learn More About Zone Transfer:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →