Expressvpn Glossary
DNS zone transfer
What is a DNS zone transfer?
A DNS zone transfer is the process of copying Domain Name System (DNS) records from a primary DNS server to one or more secondary DNS servers. It ensures that all authoritative servers for a domain maintain the same set of DNS data.
This process supports redundancy and availability. If the primary server becomes unavailable, secondary servers can continue responding to DNS queries using the replicated data.
Zone transfers rely on two query types: Authoritative Transfer (AXFR) for full transfers and Incremental Zone Transfer (IXFR) for incremental transfers. Both run over Transmission Control Protocol (TCP). Authentication mechanisms such as Transaction Signature (TSIG) are often used to ensure only authorized servers can request and receive zone data.
How does a DNS zone transfer work?
A DNS zone transfer is initiated by a secondary server checking whether the primary server’s zone data has changed. It does this by querying the Start of Authority (SOA) record and comparing the version number against its local copy.
If the version number has changed, the secondary server requests an update. The primary server authenticates the request and then responds using one of two mechanisms:
- AXFR: Transfers the full contents of the zone, regardless of how much has changed.
- IXFR: Transfers only the records that have changed since the last update. If the primary can’t provide the incremental updates, it falls back to AXFR.
Once the transfer is complete, the secondary server updates its local copy and begins answering DNS queries with the new records.
Why is DNS zone transfer important?
DNS zone transfers support several operational goals:
- Consistency: Keeps DNS records synchronized across authoritative servers.
- Redundancy and failover: Allows secondary servers to respond if the primary server fails.
- Load distribution: Queries are spread across multiple servers.
- Geographic availability: Enables DNS servers to operate in different locations while staying in sync.
Risks and privacy concerns
If not properly restricted, DNS zone transfers can expose sensitive information:
- Full zone disclosure: Unauthorized parties may retrieve all DNS records.
- Infrastructure mapping: Hostnames and IP addresses of servers and services tied to the domain can reveal system structure.
- Subdomain exposure: Internal or non-public subdomains may be visible.
This allows attackers to perform reconnaissance, target specific vulnerabilities, and launch phishing or denial-of-service (DoS) attacks.
To reduce exposure, zone transfers are typically limited to specific IP addresses of known secondary servers and require TSIG authentication on both sides.
Further reading
- Nameserver: The complete guide to setup and management
- Managed DNS: Your complete guide to implementation
- Types of DNS servers: Everything you need to know
- DNS record types explained: A complete guide for privacy