• For security reason zone transfer should only be allowed from specific and trusted IPs, as the information in it can be used to gain insight into the domain/network structure before breaking in.
  • Zone transfer is always done over the TCP , even if the reply is less than UDP limit of 512 byte, so port 53/TCP should be open to the DNS server.
And the command itself:
$ dig AXFR
To ask for incremental zone transfer, that is only changes ( just to test this feature is enabled or not) :
$ dig ixfr
Default Server:

> ls -d
*** Can't list domain BAD ERROR VALUE
The DNS server refused to transfer the zone to your computer. If this
is incorrect, check the zone transfer security settings for on the DNS
server at IP address
DNS, DNS-cookbook