A DNS zone transfer is one of the most valuable misconfigurations you can find during enumeration. When it works, it hands you the entire DNS map of a domain in one request β every subdomain, every server, every IP address, all at once.
A DNS zone is the complete collection of DNS records for a domain. Zone transfers (technically called AXFR requests) are a mechanism designed to let secondary DNS servers sync their records from the primary DNS server β like a backup system for DNS data.
Think of it like a master copy of a company's internal directory. The primary server has it. Secondary servers need copies of it to function. The transfer mechanism exists so they can request that copy.
The problem: some DNS servers are misconfigured to allow anyone to request that copy β not just authorized secondary servers. When that happens, you can ask for the entire zone and get back every DNS record the company has.
This is considered a critical misconfiguration in professional engagements because it completely eliminates the need for subdomain brute forcing β you just get everything handed to you.
A successful zone transfer returns every DNS record in the zone:
example.com. A 93.184.216.34
www.example.com. A 93.184.216.34
mail.example.com. A 10.0.0.5
admin.example.com. A 10.0.0.10
dev.example.com. A 10.0.0.15
staging.example.com. A 10.0.0.20
vpn.example.com. A 10.0.0.25
internal.example.com. A 192.168.1.100
In one request you've mapped the entire infrastructure β public and internal hostnames, IP addresses, and server roles.
Step 1 β Find the nameservers for the domain:
# Using dig
dig example.com NS +short
# Using nslookup
nslookup -type=NS example.comThis gives you the nameserver hostnames β something like ns1.example.com and ns2.example.com.
Step 2 β Attempt the zone transfer against each nameserver:
# Using dig β AXFR request
dig axfr @ns1.example.com example.com
dig axfr @ns2.example.com example.com
# Using nslookup
nslookup
> server ns1.example.com
> set type=AXFR
> example.com
# Using dnsrecon
dnsrecon -d example.com -t axfr
# Using fierce
fierce --domain example.comStep 3 β Read the output:
If the zone transfer is denied (most common):
; Transfer failed.
If the zone transfer succeeds:
; <<>> DiG 9.16.1 <<>> axfr @ns1.example.com example.com
example.com. 3600 IN SOA ns1.example.com. admin.example.com. ...
example.com. 3600 IN NS ns1.example.com.
example.com. 3600 IN NS ns2.example.com.
www.example.com. 3600 IN A 93.184.216.34
mail.example.com. 3600 IN A 10.0.0.5
admin.example.com. 3600 IN A 10.0.0.10
...
Reading the output β what each column means:
admin.example.com. 3600 IN A 10.0.0.10
β β β β β
hostname TTL class type value
- Hostname β the subdomain or server name that exists
- TTL β how long this record is cached (in seconds) β not important right now
- IN β Internet class, always IN, ignore it
- Type β the record type (A = IPv4 address, NS = nameserver, MX = mail server)
- Value β what it points to β usually an IP address
The ones you care about most are A records β they map a hostname directly to an IP address. Any A record pointing to an internal IP range (10.x.x.x, 172.16.x.x, 192.168.x.x) means that server is internal β it's not supposed to be publicly visible, which makes it more interesting.
So you found admin.example.com pointing to 10.0.0.10 β now what?
That IP is internal. Your browser and your tools don't know how to reach admin.example.com because there's no public DNS record for it β it was never meant to be found. But you found it anyway through the zone transfer.
To actually visit it or run tools against it, you need to tell your own machine where it lives. That's where /etc/hosts comes in.
π‘ Need to understand
/etc/hostsand why we edit it? See Domains, Subdomains & Virtual Hosts for the full explanation.
- Save the output immediately:
dig axfr @ns1.example.com example.com > zone-transfer.txt- Extract all hostnames:
grep -oP '[\w.-]+\.example\.com' zone-transfer.txt | sort -u-
Add all discovered hosts to
/etc/hostsif you're on an HTB or internal engagement -
Note internal IP ranges β any RFC1918 addresses (10.x.x.x, 172.16.x.x, 192.168.x.x) reveal internal network structure
-
In a professional engagement β this is a Critical finding. Document it fully with the full output as evidence.
Zone transfers appear on HTB boxes fairly regularly β especially boxes focused on DNS enumeration. The typical workflow:
# You find a domain in your nmap output or web response
# Step 1 β find nameservers
dig example.htb NS +short
# Step 2 β attempt transfer
dig axfr @<nameserver-ip> example.htb
# Step 3 β add everything found to /etc/hosts
echo "10.10.10.1 admin.example.htb dev.example.htb" >> /etc/hosts
# Step 4 β enumerate each discovered subdomain
gobuster dir -u http://admin.example.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txtZone transfers expose the entire internal DNS structure of an organization β including hostnames that were never meant to be public. Internal server names, staging environments, VPN endpoints, and administrative interfaces that security teams assumed were hidden are all revealed in a single request.
The fix is simple β restrict zone transfers to authorized IP addresses only. But the misconfiguration is surprisingly common even in large organizations.
by SudoChef Β· Part of the SudoCode Pentesting Methodology Guide