Transferencia de Zona DNS
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/zone-transfer/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/zone-transfer/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/zone-transfer/)Use the native HTML custom element.
Definición
El proceso de replicar datos de zona DNS desde un servidor de nombres primario a servidores secundarios utilizando los protocolos AXFR o IXFR. Las transferencias de zona mal configuradas pueden filtrar información de red interna a los atacantes.
Purpose of Zone Transfers
A DNS zone transfer is a mechanism for replicating zone data from a primary (master) authoritativeA DNS server that holds the original, definitive DNS records for a domain zone. It provides answers directly from its zone data rather than querying other servers, serving as the source of truth for that domain. server to one or more secondary servers. The full transfer protocol, AXFR (Authoritative Zone Transfer), sends the complete zone file. The incremental variant, IXFR, sends only records that changed since the secondary's last known SOAStart of Authority record. A DNS record that contains administrative information about a zone, including the primary name server, responsible party's email, serial number, and refresh/retry/expire timers. serial number, reducing bandwidth for large zones that change frequently.
Security Risks of Unrestricted Transfers
Allowing zone transfers from any IP address is a serious misconfiguration. An attacker who can perform an AXFR query receives a complete inventory of all hostnames, IP addresses, mail servers, and service records in the zone — essentially a reconnaissance blueprint of the entire infrastructure. Properly configured authoritative servers restrict AXFR requests to known secondary server IPs using TSIG (Transaction Signature) keys for authentication.
Monitoring Zone Transfers
Administrators should enable TSIG on all zone transfers and audit transfer logs regularly. Unexpected AXFR queries from unknown IP ranges in DNSDomain Name System. The hierarchical, distributed naming system that translates human-readable domain names (e.g., example.com) into IP addresses (e.g., 93.184.216.34). Often called the "phonebook of the internet." server logs are a strong indicator of active reconnaissance. DNSSEC (DNSSECDomain Name System Security Extensions. A suite of IETF specifications that adds cryptographic authentication to DNS responses using digital signatures, preventing DNS spoofing and cache poisoning attacks.) does not prevent unauthorized zone transfers but does ensure that records retrieved via any means — including unauthorized transfers — carry verifiable signatures. DNS Lookup