Home page logo
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News


File dns-zone-transfer

Script types: prerule, portrule
Categories: intrusive, discovery
Download: http://nmap.org/svn/scripts/dns-zone-transfer.nse

User Summary

Requests a zone transfer (AXFR) from a DNS server.

The script sends an AXFR query to a DNS server. The domain to query is determined by examining the name given on the command line, the DNS server's hostname, or it can be specified with the dns-zone-transfer.domain script argument. If the query is successful all domains and domain types are returned along with common type specific data (SOA/MX/NS/PTR/A).

This script can run at different phases of an Nmap scan:

  • Script Pre-scanning: in this phase the script will run before any
Nmap scan and use the defined DNS server in the arguments. The script arguments in this phase are: dns-zone-transfer.server the DNS server to use, can be a hostname or an IP address and must be specified. The dns-zone-transfer.port argument is optional and can be used to specify the DNS server port.
  • Script scanning: in this phase the script will run after the other
Nmap phases and against an Nmap discovered DNS server. If we don't have the "true" hostname for the DNS server we cannot determine a likely zone to perform the transfer on.

Useful resources

Script Arguments


DNS server port, this argument concerns the "Script Pre-scanning phase" and it's optional, the default value is 53.


DNS server. If set, this argument will enable the script for the "Script Pre-scanning phase".


If specified, adds returned DNS records onto Nmap scanning queue.


Domain to transfer.


If specified, adds all IP addresses including private ones onto Nmap scanning queue when the script argument newtargets is given. The default behavior is to skip private IPs (non-routable).


See the documentation for the target library.


See the documentation for the unittest library.

Example Usage

nmap --script dns-zone-transfer.nse \
     --script-args dns-zone-transfer.domain=<domain>

Script Output

53/tcp   open     domain
|  dns-zone-transfer:
|  foo.com.            SOA     ns2.foo.com. piou.foo.com.
|  foo.com.            TXT
|  foo.com.            NS      ns1.foo.com.
|  foo.com.            NS      ns2.foo.com.
|  foo.com.            NS      ns3.foo.com.
|  foo.com.            A
|  foo.com.            MX      mail.foo.com.
|  anansie.foo.com.    A
|  dhalgren.foo.com.   A
|  drupal.foo.com.     CNAME
|  goodman.foo.com.    A i
|  goodman.foo.com.    MX      mail.foo.com.
|  isaac.foo.com.      A
|  julie.foo.com.      A
|  mail.foo.com.       A
|  ns1.foo.com.        A
|  ns2.foo.com.        A
|  ns3.foo.com.        A
|  stubing.foo.com.    A
|  vicki.foo.com.      A
|  votetrust.foo.com.  CNAME
|  www.foo.com.        CNAME
|_ foo.com.            SOA     ns2.foo.com. piou.foo.com.


Author: Eddie Bell

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]