DNS Protocol – AXFR – Zone Transfers

  DNS, DNS Theory, Domains and DNS

A so-called zone transfer is designed to transfer the entire contents of a domain zone, ie. all its DNS records, from one DNS server to another. This mechanism is used by secondary servers for downloading data from primary servers, if the content of the domain zone is changed. AXFR always follows after the TCP protocol.

AXFR has a disadvantage – it always transfers the entire contents of the zone, even if only one record was changed. This is solved by the IXFR(Incremental Zone Transfer, RFC 1995) mechanism, which only transfers the changed records.

AXFR should not be publicly available, it should be permitted only between a group of authoritative DNS servers. If anyone has the opportunity to easily download all domain records like this, some private records could be compromised, which could otherwise be accessed only by direct query – such as a list of computers in the domain, the name of the subdomain for access to internal administration, etc.