How to see if your nameserver has AXFR enabled?

If you are running your own DNS servers  than you may not want to let other people snoop around your zone files. Nameservers that are misconfigured will allow zone transfers unless the server administrator explicitly changes their settings to not allow it.

What happens when someone can do a zone transfer (AXFR)?

The receiving party would be able to see everything in your zone files. Subdomains that you don’t publish anywhere will be visible. To any other unique settings you may have in your zone files would be visible. There are also possible security concerns that can permit someone to find a vulnerability with your server.

How to see if your DNS server doesn’t permit any random stranger to do a zone transfer?

All three of the commands below will show similar results. The last two commands will let you dictate which nameserver to try a zone transfer against. You can also use specific IP addresses to test against with the commands below.

host -T axfr example.com

host -T axfr example.com ns1.example.com

dig axfr @ns1.example.com example.com