We have already covered the bases of DNS, so you know what it is and how does it work. This article will help you understand one of the concept inside the DNS – zone transfer. In order to explain it, let’s first see what a zone file is.
DNS zone and DNS zone files
DNS zone is a part of the DNS. The whole DNS is organized with a hierarchical structure. There are different levels that can be managed independently. DNS zones allow exactly this, to manage a partition of the domain namespace. The DNS zones have zone files that define them.
Zone files are simple text files, DNS records. A zone file will contain the whole information for a domain, the full IP to domain mapping. It must include the SOA record, which indicates the start of authority.
To function correctly, the system needs to keep been updated. The Zone transfer happens when the primary DNS server dispatches a DNS zone to one of the secondary DNS servers. You can do it manually with dig command (if you have permission) or automatically if you have set it before.
IXFR zone transfer
When it is automatic, the increase (increment) of the zone serial number triggers the zone transfer. The incremental transfers IXFR are not complete transfers. They don’t copy the whole zone file. They just copy the changes – new records, deleted or changed.
AXFR zone transfer
AXFR zone transfers are the full transfers. The primary DNS server sends the whole zone file to the secondary. This assures that the secondary DNS server is well synced.
People prefer IXFR zone transfers over the AXFR transfers because they don’t take so much bandwidth. Less data travels.
Zone transfers and hackers’ attacks
During the transfer, some hackers can obtain the zone file by performing an AXFR request. You can prevent this if you allow just trusted DNS servers to perform AXFR queries.
If you create a new DNS zone, you will need to perform an AXFR zone transfer. If you already have set up all the DNS zones and you just make changes to the primary DNS zone, then it will be an IXFR zone transfer.