The Security check - zone transfer attempts to retrieve the zone content by a zone transfer (AXFR).
DNSmonitor KB - DNS check KB

Security check - zone transfer

The Security check - zone transfer attempts to retrieve the zone content by a zone transfer (AXFR).

Zone transfers should be strictly enforced to only allow zone transfers to secondary/slave servers. A zone transfer is the standardised way for authoritative name servers to transfer copies of a zone between each other.

Security best practices dictate that no or very limited information should be made available to the public. By allowing zone transfers to the world the entire zone content and with that a great deal of information about your Internet infrastructure is exposed.

Most DNS servers can be configured with Access control lists and to require authentication to only allow zone transfers to authorised entities.

Event severities and messages

WARNING

Transfer request was allowed but no data was received.

The zone transfer response contained no zone data. Although no data was received the name server allowed the transfer request. This might indicate a configuration flaw and should be remedied.

Zone transfer failed with (code) message.

The zone transfer failed  but with an unexpected return code from the server.

This might indicate a configuration flaw and should be investigated.

ERROR

Zone transfer request was allowed, X resource records were transferred

The zone transfer was successful, which means that anyone can transfer the zone and analyse its content. This is a serious security flaw that need to be addressed.

Check the documentation of your DNS server software for how to set up your server to only allow zone transfers to trusted parties.

UNKNOWN

Unable to perform check due to input data failure.

When this message appear usually one of the queries leading up to the final query have received an empty or garbled query response. Please report this through the normal support channel.

Solutions, tips & tricks

Make sure you have configured authenticated zone transfers/notifications.

Make sure you have ACL's in place to prevent any other than your own authenticated name servers to perform zone transfers.

We will post an article about this subject later this year.