DNS AXFR — confirm zone transfer is blocked · monitoring cookbook · Enterno.io

Enterno.io Editorial Team

DNS AXFR — confirm zone transfer is blocked

A name-server misconfig leaks AXFR to the internet — every subdomain, MX, TXT (including SPF/DKIM keys) is visible to attackers. Daily check with alert.

Stack: dig · bash · cron Tags: dns, security

Recipe

bash

#!/usr/bin/env bash
DOMAIN="${1:-example.com}"
NS=$(dig +short NS "$DOMAIN" | head -1)
RESP=$(dig +short axfr "$DOMAIN" "@$NS" 2>&1)

if echo "$RESP" | grep -q "Transfer failed\|REFUSED\|NOTAUTH"; then
  echo "ok"
else
  if [ -n "$RESP" ] && [ "$(echo "$RESP" | wc -l)" -gt 1 ]; then
    echo "leak $(echo "$RESP" | wc -l) records visible from internet"
    exit 1
  fi
  echo "ok"
fi

Same thing in Enterno.io

Sanity check — our DNS tool already includes an AXFR probe. Wire this script up to a heartbeat and get a daily confirmation that zone-transfer stays blocked.

Set up DNS Lookup → ← All recipes

Related recipes

Watch the DMARC record on the sending domain

bash

A junior marketer flips DMARC from <code>p=quarantine</code> to <code>p=none</code> "to fix bounces" — Gmail starts marking everything as spam an hour later.

Resolver outage alert before users notice

bash

One public DNS resolver (1.1.1.1, 8.8.8.8) degrades for a region. Your site "is up" but half the users see "server not found" — the uptime monitor stays silent.

HSTS preload — alert when the header disappears after a deploy

bash

Site is on the HSTS preload list, but after an nginx refactor the header is gone. In 3 months the domain will be removed from the preload list. Need a daily check.

Recipe

Same thing in Enterno.io

Related recipes

Watch the DMARC record on the sending domain

Resolver outage alert before users notice

HSTS preload — alert when the header disappears after a deploy

Start monitoring for free