Zone Transfer Check
developer/v1/dns/zone-transferTests for zone transfer (AXFR) vulnerabilities by attempting real TCP-based AXFR requests against each authoritative nameserver. Reports which servers allow transfers, how many records are exposed, and provides security hardening recommendations per RFC 5936 and CIS DNS benchmarks.
What It Does
Resolves all authoritative nameservers, then sends real AXFR queries (RFC 5936) to each. Reports per-server result (vulnerable, refused, timeout), total records exposed, sample owner-names, and a record-type breakdown — TXT, CAA, SRV, and TLSA are flagged as `high_sensitivity_types_present` since these typically expose SPF includes, verification tokens, certificate-issuance policy, and service topology that are far more sensitive than CNAME glue. When AXFR is refused, cross-references the dns-nsec-walkability check: zones using legacy NSEC (rather than NSEC3) can still be enumerated by walking the NSEC chain, so `alternative_enumeration_risks.nsec_walkable` surfaces this. Detects the authoritative DNS provider and returns provider-keyed `remediation_snippets` — paste-ready `allow-transfer` config for BIND, PowerDNS, NSD, Knot, plus notes for Cloudflare DNS and Route 53 (which don't support AXFR by default).
Why It's Useful
A 2022 survey found ~12% of organizations had at least one nameserver allowing unauthorized zone transfers. Most AXFR tools stop at "vulnerable yes/no", but the severity of an exposed zone depends entirely on what's in it — a leaked zone full of SPF includes and verification tokens is much worse than one with mostly CNAME glue. The record-type breakdown turns "you're vulnerable" into "your TXT records are leaking; here's exactly what's exposed". The NSEC cross-reference catches a frequently-missed case where AXFR is correctly refused but enumeration is still possible. The provider-keyed remediation makes the fix concrete instead of generic.
Use Cases
Security Assessment
During reconnaissance, test for zone transfer to discover all subdomains and internal hosts.
Quickly map the complete DNS infrastructure if zone transfer is allowed.
DNS Security Audit
Audit organization DNS servers to ensure zone transfers are restricted.
Identify and remediate zone transfer vulnerabilities before attackers exploit them.
Compliance Verification
Verify DNS servers meet CIS benchmark requirements for zone transfer restrictions. Document AXFR controls for SOC 2, ISO 27001, and NIST SP 800-81 compliance.
Demonstrate DNS security controls with specific compliance framework evidence.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to test zone transfer forExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
is_vulnerable | boolean | Whether any nameserver allows zone transfer |
vulnerable | array | Nameservers that allow zone transfer |
not_vulnerable | array | Nameservers that properly refuse zone transfer |
timeout | array | Nameservers that timed out during AXFR testing |
records_exposed | number | Total DNS records exposed across all vulnerable servers |
details | array | Per-server AXFR test results with status, record_count, sample_records (owner names), record_type_counts (per-RR-type), response time, and transaction-ID verification |
record_type_summary | object | Aggregated record-type counts across all vulnerable nameservers (e.g., { A: 142, CNAME: 38, TXT: 17, MX: 4 }) |
high_sensitivity_types_present | array | Subset of record_type_summary keys flagged as high-impact when leaked: TXT (SPF includes, verification tokens), CAA (issuance policy), SRV (service topology), TLSA |
remediation_snippets | array | Provider-keyed `allow-transfer` config snippets when vulnerable: BIND named.conf, PowerDNS pdns.conf, NSD, Knot, plus Cloudflare / Route 53 notes |
alternative_enumeration_risks | object | { nsec_walkable, detail } — when AXFR is refused but the zone uses legacy NSEC, full enumeration is still possible via NSEC chain walking; cross-references /v1/dns/nsec-walkability |
recommendations | array | Security hardening recommendations (TSIG, ACLs, TLS) |
truncated | boolean | Whether testing was limited to a subset of nameservers (max 5 tested) |
total_nameservers | number | Total number of nameservers for the domain |
Code Examples
curl "https://api.edgedns.dev/v1/dns/zone-transfer" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/zone-transfer?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/zone-transfer',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Zone Transfer Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Zone Transfer Check endpoint live in the playground.