AXFR
Full Zone Transfer: a DNS operation that copies an entire zone from a primary to a secondary nameserver.
AXFR (Authoritative Transfer, or Full Zone Transfer) is the DNS mechanism that copies an entire zone file from a primary nameserver to a secondary. It runs over TCP on port 53 because the data is often larger than a single UDP packet. AXFR was designed for legitimate zone replication between operators, but if a nameserver allows AXFR from arbitrary clients, anyone can download the full list of records for the zone. That is a serious information disclosure risk. Modern deployments restrict AXFR by IP allowlist and authenticate transfers with TSIG, and use IXFR for incremental updates.
Reference
Related terms
See also
Referenced on
- Build a DNS Resolver from Scratch in Python
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Zone Transfer Attack (AXFR): How a Single Query Exposes Your Entire Domain
- DNS Zone Walking for Subdomain Enumeration: How NSEC Exposes Your Subdomains
- How DNS Queries Work: A Developer's Guide to the DNS Protocol
- Subdomain Takeover: How Dangling DNS Records Let Attackers Hijack Your Domain
- What Happens When One DNS Provider Goes Down: The Hidden Fragility of TLD Ecosystems