- For security reason zone transfer should only be allowed from specific and trusted IPs, as the information in it can be used to gain insight into the domain/network structure before breaking in.
- Zone transfer is always done over the TCP , even if the reply is less than UDP limit of 512 byte, so port 53/TCP should be open to the DNS server.
To ask for incremental zone transfer, that is only changes ( just to test this feature is enabled or not) :
$ dig AXFR example.com
$ dig ixfr example.com
Windows>nslookup Default Server: dns1-adc.netvision.net.il Address: 184.108.40.206 > ls -d yurisk.info [dns1-adc.netvision.net.il] *** Can't list domain yurisk.info: BAD ERROR VALUE The DNS server refused to transfer the zone yurisk.info to your computer. If this is incorrect, check the zone transfer security settings for yurisk.info on the DNS server at IP address 220.127.116.11.