Zone Transfer Check
developer/v1/dns/zone-transferTests for zone transfer (AXFR) vulnerabilities by attempting real TCP-based AXFR requests against each authoritative nameserver. Reports which servers allow transfers, how many records are exposed, and provides security hardening recommendations per RFC 5936 and CIS DNS benchmarks.
What It Does
Resolves all authoritative nameservers for a domain, then opens TCP connections to port 53 on each and sends AXFR queries per RFC 5936. Reports per-server results (vulnerable, refused, timeout), counts exposed records, returns sample hostnames from vulnerable transfers, and provides remediation guidance including TSIG authentication (RFC 2845), ACL-based restrictions, and DNS Zone Transfer over TLS (RFC 9103).
Why It's Useful
A 2022 survey found ~12% of organizations had at least one nameserver allowing unauthorized zone transfers. AXFR exposes the complete zone file — all hostnames, IPs, mail servers, and TXT records — providing attackers a complete infrastructure map. Unlike most DNS tools that only assess configuration, this endpoint performs actual AXFR attempts for definitive vulnerability confirmation.
Use Cases
Security Assessment
During reconnaissance, test for zone transfer to discover all subdomains and internal hosts.
Quickly map the complete DNS infrastructure if zone transfer is allowed.
DNS Security Audit
Audit organization DNS servers to ensure zone transfers are restricted.
Identify and remediate zone transfer vulnerabilities before attackers exploit them.
Compliance Verification
Verify DNS servers meet CIS benchmark requirements for zone transfer restrictions. Document AXFR controls for SOC 2, ISO 27001, and NIST SP 800-81 compliance.
Demonstrate DNS security controls with specific compliance framework evidence.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to test zone transfer forExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
is_vulnerable | boolean | Whether any nameserver allows zone transfer |
vulnerable | array | Nameservers that allow zone transfer |
not_vulnerable | array | Nameservers that properly refuse zone transfer |
records_exposed | number | Total DNS records exposed across all vulnerable servers |
details | array | Per-server AXFR test results with status, record count, sample records, response time, and transaction ID verification |
recommendations | array | Security hardening recommendations (TSIG, ACLs, TLS) |
truncated | boolean | Whether testing was limited to a subset of nameservers (max 5 tested) |
total_nameservers | number | Total number of nameservers for the domain |
Code Examples
curl "https://api.edgedns.dev/v1/dns/zone-transfer" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/zone-transfer?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/zone-transfer',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Zone Transfer Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Zone Transfer Check endpoint live in the playground.