0
Back to scan results
Check 7 of 24

DNS Zone Transfer (AXFR)

We look up the authoritative name servers for your domain and ask each one for a full zone transfer. A correctly configured DNS server refuses. A misconfigured one hands over the entire DNS zone — every subdomain, every internal name, every mail server.

What this check probes

Two steps:

  1. Query the NS records for your domain to find the authoritative name servers.
  2. Send each name server an AXFR request for your zone. AXFR is the protocol secondary DNS servers use to copy the full zone from a primary; it should only be answered for known secondaries.

Equivalent to running:

dig @ns1.example.com example.com AXFR

If the server returns more than the SOA record, the transfer succeeded and your zone is public.

Why this matters for PCI DSS

An open zone transfer is the gold standard for attacker reconnaissance. In a single command they get:

  • Every subdomain — including staging, dev, old-admin, vpn, backup.
  • Internal naming conventions — useful for guessing other names.
  • Mail servers, secondary IPs, third-party integrations.
  • Often hosts that were never meant to be public but happen to have a DNS record.

PCI DSS 4.0 Requirement 1.4.5 requires that internal IP addresses and routing information are disclosed only to authorized parties. Requirement 6.2.4 covers the broader "information disclosure" attack class. An open AXFR violates both.

How to fix it

BIND — restrict transfers to your known secondaries:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { 192.0.2.10; 192.0.2.11; };
};

Better: use TSIG keys so the secondary must present a shared secret:

key "transfer-key" {
    algorithm hmac-sha256;
    secret "base64-encoded-secret";
};
zone "example.com" {
    allow-transfer { key "transfer-key"; };
};

Windows DNS Server — open the DNS Manager, right-click the zone → Properties → Zone Transfers tab. Either uncheck "Allow zone transfers" or restrict to "Only to the following servers" with the IPs of your secondaries.

PowerDNS — set allow-axfr-ips in pdns.conf to your secondary IPs only.

Managed DNS (Cloudflare, Route 53, NS1, Azure DNS) — these providers don't expose AXFR to the public by default. If you're flagged on a managed provider, you've likely got a self-hosted name server still listed in your NS records that should be removed.

Verify with dig @ns1.example.com example.com AXFR — should return "Transfer failed" or just the SOA.

Fixed it? Re-run the scan to confirm.

Run scan again