DNS Zone Transfer (AXFR/IXFR) from Unauthorized Internal Host
05 DNS Zone Transfer AXFR
Query
// Populate with IPs of authorized secondary/slave DNS servers to exclude
// legitimate zone replication traffic and avoid duplicating the built-in rule.
let AuthorizedSecondaryDNS = dynamic([]);
// Example: dynamic(["10.1.0.53", "10.2.0.53", "192.168.10.5"])
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQueryTypeName in~ ("AXFR", "IXFR")
or DnsQueryType in (252, 251)
| where SrcIpAddr !in (AuthorizedSecondaryDNS)
| summarize
TransferAttempts = count(),
TargetZones = make_set(DnsQuery),
TargetServers = make_set(DstIpAddr),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostnameExplanation
This query is designed to detect unauthorized DNS zone transfer requests, which are attempts to copy DNS records from a DNS server. These requests can be either full transfers (AXFR) or incremental transfers (IXFR). The query specifically looks for such requests originating from internal hosts that are not on a predefined list of authorized secondary DNS servers. This helps to identify potentially malicious activities while ignoring legitimate DNS replication traffic.
Here's a simple breakdown of the query:
- Purpose: To detect unauthorized DNS zone transfer requests from internal hosts.
- How it works:
- It checks DNS activity logs for AXFR or IXFR requests within the last hour.
- It excludes requests from IP addresses listed as authorized secondary DNS servers.
- It counts the number of transfer attempts and identifies the targeted DNS zones and servers.
- Output:
- The query summarizes the number of transfer attempts, the zones targeted, and the servers involved, along with timestamps of the first and last detected attempts.
- Alerting:
- If any unauthorized requests are detected, it generates an alert with details about the source host and the targeted DNS zones.
- Severity: Medium, indicating a moderate level of concern.
- Customization: Users can populate the list of authorized secondary DNS servers to tailor the detection to their network environment.
This query helps in identifying potential reconnaissance activities by attackers trying to gather information about the internal network through DNS zone transfers.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 1h