Monitoring DNS via Zone Transfers (AXFR)

AXFR (Authoritative Zone Transfer) is a DNS protocol mechanism used to replicate DNS databases between DNS servers. When you perform a zone transfer, the authoritative nameserver sends a complete copy of the zone's DNS records to the requesting server.

ZoneWatcher uses AXFR to fetch all DNS records for your zone directly from your nameserver, providing complete visibility into your DNS configuration. This method is particularly useful when:

• Your DNS provider doesn't offer an API for programmatic access
• You're running your own authoritative DNS server (BIND, PowerDNS, NSD, etc.)
• You want to monitor DNS records from a secondary nameserver
• You need to monitor zones from enterprise DNS appliances

Before you can use Zone Transfers with ZoneWatcher, you'll need to ensure your DNS server is configured to allow AXFR requests from ZoneWatcher's IP addresses. Zone transfers are typically restricted by default for security reasons.

Important Security Consideration: Zone transfers expose your complete DNS zone data. Only allow AXFR from trusted IP addresses. Contact our support team to get the current list of ZoneWatcher IP addresses that need to be allowed for zone transfers.

BIND

Add the following to your zone configuration in named.conf:

zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com";
    allow-transfer { <ZoneWatcher-IP>; };
};

PowerDNS

Configure the allow-axfr-ips setting in your PowerDNS configuration:

allow-axfr-ips=<ZoneWatcher-IP>

NSD

Add the following to your zone configuration in nsd.conf:

zone:
    name: "example.com"
    zonefile: "example.com.zone"
    provide-xfr: <ZoneWatcher-IP> NOKEY

Microsoft DNS

In DNS Manager, right-click your zone, select Properties, go to the Zone Transfers tab, and add ZoneWatcher's IP addresses to the allowed servers list.

Once you've configured your DNS server to allow zone transfers, you can create your new Zone Transfer provider on ZoneWatcher by giving it a descriptive name.

You can optionally specify a Nameserver to use for zone transfers. If left blank, ZoneWatcher will automatically discover and use the authoritative nameserver for each zone based on the domain's NS records.

After configuring your provider, click the "Save" button.

Unlike API-based providers, zones are not automatically discovered when using Zone Transfers. After creating your provider, you'll need to manually add each zone you want to monitor.

Navigate to your Zone Transfer provider and click "Add Zone". Enter the domain name of the zone you want to monitor. ZoneWatcher will then perform a zone transfer to fetch all DNS records for that zone.

After you've added your zones, ZoneWatcher will perform regular zone transfers to check for changes to your DNS records. You'll be able to view your zones and records from either the Provider's page or the Zone Dashboard.

When changes are detected, you'll receive notifications through your configured notification channels, allowing you to stay informed about any modifications to your DNS configuration.

If ZoneWatcher is unable to perform zone transfers, check the following:

• Firewall Rules: Ensure that port 53 (TCP) is open from ZoneWatcher's IP addresses to your nameserver. Zone transfers use TCP, not UDP.
• AXFR Configuration: Verify that your DNS server is configured to allow zone transfers from ZoneWatcher's IP addresses.
• Nameserver Reachability: Confirm that the nameserver you specified (or the authoritative nameserver) is reachable from the internet.
• Zone Existence: Ensure the zone exists on the nameserver and is configured correctly.

You can test zone transfers manually using the dig command:

dig @your-nameserver example.com AXFR

Our Zone Transfers (AXFR) integration currently monitors the following record types:

• A
• AAAA
• CAA
• CNAME
• MX
• NS
• NAPTR
• PTR
• SOA
• SRV
• TXT