DNS Zone Transfer Test

Our DNS Zone Transfer Test tool enables you to instantly check whether your DNS server is misconfigured to expose zone data, ensuring your domain infrastructure stays protected from unauthorized AXFR requests.

About DNS Zone Transfer Test

HasheTool's DNS Zone Transfer Test tool lets you instantly check whether a DNS server is misconfigured to allow unauthorized zone transfers. By sending an AXFR (full zone transfer) request to your target nameserver, our tool reveals whether sensitive DNS zone data, including subdomains, IP addresses, and mail server configurations, is publicly accessible.

Whether you're a security researcher, system administrator, or website owner, this free DNS Zone Transfer Test helps you identify and fix a critical DNS misconfiguration before attackers can exploit it.

DNS Zone Transfer Test: Detect Open AXFR Vulnerabilities Instantly

A misconfigured DNS server can silently expose your entire domain infrastructure to anyone on the internet. HasheTool's DNS Zone Transfer Test tool helps you detect this vulnerability in seconds. By simulating an AXFR query, the same method used by attackers during reconnaissance, our tool tells you exactly whether your DNS server is leaking zone data and which nameservers are vulnerable.

This free tool is trusted by developers, penetration testers, IT security teams, and domain administrators who need fast, accurate results without complicated setup.

How to Use the DNS Zone Transfer Test on HasheTool

Using HasheTool's DNS Zone Transfer Test is simple and requires no technical setup:

1. Enter your domain name (e.g., example.com).
2. Optionally, specify a nameserver you want to test, or let our tool auto-detect all authoritative nameservers.
3. Click "Run Zone Transfer Test."
4. Review the results to see whether the zone transfer was allowed or rejected.

If zone data is returned, your DNS server is misconfigured and should be secured immediately. If the transfer is refused, your server is correctly protected.

What Is a DNS Zone Transfer?

A DNS Zone Transfer is a process used to replicate DNS records from a primary DNS server to a secondary DNS server. This is a legitimate and necessary mechanism for keeping backup nameservers synchronized with the primary one.

There are two types of zone transfers:

• AXFR (Asynchronous Full Transfer Zone): Transfers the complete zone file from the primary to the secondary nameserver.
• IXFR (Incremental Zone Transfer): Transfers only the changes made since the last synchronization, making it more efficient for large zones.

Zone transfers are designed to be used internally between trusted nameservers. When a DNS server is improperly configured to respond to AXFR requests from any source, it becomes a serious security vulnerability.

What Is a DNS Zone Transfer Test?

A DNS Zone Transfer Test is a security diagnostic that sends an AXFR request to a target DNS server to check whether it responds with full zone data to unauthorized sources. This is the same technique used by security professionals and attackers during the DNS reconnaissance phase of a security audit or attack.

If the server responds with zone data, it means anyone, including malicious actors, can retrieve a complete list of:

• All subdomains (including internal and hidden ones)
• IP addresses of servers and infrastructure
• Mail server configurations (MX records)
• SPF, DKIM, and other TXT records
• Administrative data from SOA records

This level of exposure gives attackers a detailed map of your infrastructure, making targeted attacks significantly easier to carry out.

Why Is an Open Zone Transfer a Security Risk?

An open DNS zone transfer is classified as a critical security misconfiguration and is listed in various security standards and vulnerability databases. Here is why it matters:

Subdomain Enumeration: Attackers can discover internal subdomains like admin.example.com, dev.example.com, or vpn.example.com that are not publicly listed anywhere.

Infrastructure Mapping: All IP addresses exposed in the zone file allow attackers to map your hosting setup and identify potential targets.

Email Attack Surface: Exposed MX and TXT records reveal your email provider, SPF configuration gaps, and DKIM settings, all useful for crafting phishing or spoofing attacks.

Reconnaissance Without Detection: Pulling a zone transfer is a passive technique that is difficult to detect and leaves minimal logs, making it a favored first step in targeted attacks.

Fixing an open zone transfer immediately reduces your attack surface and removes a significant information advantage from potential attackers.

How DNS Zone Transfer Works (Technical Breakdown)

Understanding how zone transfers function helps clarify why misconfigured servers are so dangerous:

1. Client sends AXFR request to the authoritative nameserver for a domain.
2. Nameserver checks the request source against its ACL (Access Control List) of allowed IPs.
3. If properly configured, the server rejects the request with a REFUSED or NOTAUTH response.
4. If misconfigured, the server sends back the full zone file, including every DNS record it holds for that domain.

A correctly secured DNS server should only allow zone transfers from specific, trusted secondary nameserver IP addresses. Any response to an AXFR request from an unknown or public IP is a vulnerability.

What Data Can Be Exposed in a Zone Transfer?

If a zone transfer is successful, the following types of DNS records may be exposed:

Each of these records adds to an attacker's picture of your infrastructure.

How to Fix an Open DNS Zone Transfer Vulnerability

If HasheTool's DNS Zone Transfer Test reveals that your server allows open transfers, follow these steps to secure it immediately:

For BIND (named.conf): Restrict zone transfers using the allow-transfer directive:

zone "example.com" {

    type master;

    allow-transfer { 192.168.1.2; };  // Only your secondary nameserver IP

};

For Microsoft DNS: Open DNS Manager → Right-click your zone → Properties → Zone Transfers tab → Select "Only to the following servers" and add your secondary nameserver IPs.

For cPanel/WHM: Zone transfers are typically restricted by default. Verify settings under WHM → DNS Functions → Edit DNS Zone.

For Cloudflare and managed DNS providers: Cloudflare and most modern managed DNS providers block zone transfers by default. No manual configuration is required.

After making changes, re-run the DNS Zone Transfer Test on HasheTool to confirm the vulnerability has been resolved.

DNS Zone Transfer vs. DNS Propagation: What's the Difference?

These two concepts are often confused but serve completely different purposes:

DNS Propagation refers to the time it takes for DNS record changes to spread across global DNS resolvers after you update them. It is a normal part of DNS updates.

DNS Zone Transfer is a server-to-server replication mechanism used to synchronize DNS records between nameservers. When exposed publicly, it becomes a security vulnerability.

HasheTool offers both a DNS Propagation Checker and a DNS Zone Transfer Test to cover all your DNS health and security needs.

Why Use HasheTool's DNS Zone Transfer Test?

• Instant results with no sign-up, installation, or configuration required
• Tests all authoritative nameservers automatically for your domain
• Clear pass/fail output so you know exactly whether you're vulnerable
• Detailed record display if a transfer succeeds, so you see exactly what was exposed
• Free and unlimited with no usage caps or restrictions
• Trusted by security professionals, developers, and IT administrators worldwide

Common Use Cases

• Security audits and penetration testing of the domain infrastructure
• Verifying DNS server hardening after configuration changes
• Checking third-party or client domains for misconfigurations
• Pre-launch security checks for new domains and servers
• Confirming that managed DNS providers have zone transfers locked down
• Educational use for learning about DNS security and AXFR vulnerabilities

Run Your DNS Zone Transfer Test Now

Don't leave your DNS infrastructure exposed. Use HasheTool's free DNS Zone Transfer Test to instantly check whether your nameservers are leaking zone data and take action before attackers do.