Query Details
05 DNS Zone Transfer AXFR
Query
id: a1b2c3d4-0005-4a5b-8c9d-dns005axfr
name: DNS Zone Transfer (AXFR/IXFR) from Unauthorized Internal Host
description: |
Detects DNS zone transfer requests (AXFR = full transfer, IXFR = incremental)
originating from internal hosts that are NOT in the authorized secondary DNS
server list. This differentiates from the Sentinel built-in "DNS Zone Transfer"
rule (DNS Solution), which fires on ALL AXFR queries regardless of source.
By excluding known authorized secondaries, this rule suppresses legitimate
replication traffic and surfaces only attacker-initiated transfers.
Populate the AuthorizedSecondaryDNS list with your secondary DNS server IPs.
Zone transfers expose the complete DNS zone including all hostnames, IPs,
and internal topology.
MITRE T1590.002 — Gather Victim Network Information: DNS
Ref: DnsBlade tool, nmap dns-zone-transfer NSE script, dnsniper
Deduplication note: Complements built-in "DNS Zone Transfer" (DNS Solution).
Disable the built-in or this rule to avoid duplicate alerts; this rule is
preferred as it suppresses authorized secondaries.
severity: Medium
requiredDataConnectors:
- connectorId: WindowsDnsAma
dataTypes:
- ASimDnsActivityLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- Reconnaissance
relevantTechniques:
- T1590.002
tags:
- Zone Transfer
- AXFR
- IXFR
- DNS Reconnaissance
- DnsBlade
query: |
// Populate with IPs of authorized secondary/slave DNS servers to exclude
// legitimate zone replication traffic and avoid duplicating the built-in rule.
let AuthorizedSecondaryDNS = dynamic([]);
// Example: dynamic(["10.1.0.53", "10.2.0.53", "192.168.10.5"])
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQueryTypeName in~ ("AXFR", "IXFR")
or DnsQueryType in (252, 251)
| where SrcIpAddr !in (AuthorizedSecondaryDNS)
| summarize
TransferAttempts = count(),
TargetZones = make_set(DnsQuery),
TargetServers = make_set(DstIpAddr),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SrcHostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
alertDetailsOverride:
alertDisplayNameFormat: "DNS Zone Transfer — {{SrcHostname}} attempted AXFR for {{TargetZones}}"
alertDescriptionFormat: "Zone transfer request (AXFR/IXFR) detected from {{SrcHostname}} ({{SrcIpAddr}}) targeting zones: {{TargetZones}}. This exposes complete internal DNS topology."
customDetails:
TargetZones: TargetZones
TransferAttempts: TransferAttempts
Explanation
This query is designed to detect unauthorized DNS zone transfer requests, which are attempts to copy DNS records from a DNS server. These requests can be either full transfers (AXFR) or incremental transfers (IXFR). The query specifically looks for such requests originating from internal hosts that are not on a predefined list of authorized secondary DNS servers. This helps to identify potentially malicious activities while ignoring legitimate DNS replication traffic.
Here's a simple breakdown of the query:
- Purpose: To detect unauthorized DNS zone transfer requests from internal hosts.
- How it works:
- It checks DNS activity logs for AXFR or IXFR requests within the last hour.
- It excludes requests from IP addresses listed as authorized secondary DNS servers.
- It counts the number of transfer attempts and identifies the targeted DNS zones and servers.
- Output:
- The query summarizes the number of transfer attempts, the zones targeted, and the servers involved, along with timestamps of the first and last detected attempts.
- Alerting:
- If any unauthorized requests are detected, it generates an alert with details about the source host and the targeted DNS zones.
- Severity: Medium, indicating a moderate level of concern.
- Customization: Users can populate the list of authorized secondary DNS servers to tailor the detection to their network environment.
This query helps in identifying potential reconnaissance activities by attackers trying to gather information about the internal network through DNS zone transfers.
Details
David Alonso
Released: March 26, 2026
Tables
ASimDnsActivityLogs
Keywords
DnsZoneTransferAxfrIxfrHostIpAddressHostnameDnsQueryDnsQueryTypeNameDnsQueryTypeSrcIpAddrDstIpAddrTimeGeneratedTransferAttemptsTargetZonesTargetServersFirstSeenLastSeen
Operators
letdynamicagoin~in!insummarizecountmake_setminmaxby