DNS Zone Transfer Test — Delegation & AXFR Risk Assessment
Trace delegation from TLD to domain — NS and SOA at each step to assess zone transfer risk
How to Use This Tool
- Enter the fully qualified domain to assess (e.g. example.com or mail.example.com).
- Tool builds zone suffixes from TLD upward to the full hostname.
- Parallel NS and SOA queries run at each zone cut via Google Public DNS.
- Nameserver hostnames normalize by stripping trailing dots.
- trace array accumulates steps with zone, nameservers, soa, and status.
- Review authoritativeZone and delegationDepth for deepest traced label.
About This Tool
Unauthorized zone transfers (AXFR) leak entire zone contents to reconnaissance actors — historically one of the highest-impact DNS misconfigurations. Before attempting AXFR, security teams audit delegation integrity: which nameservers claim authority at each parent cut, whether NS sets are consistent, and whether SOA metadata looks healthy. VSPIC DNS zone transfer test uses the dns-trace action: enter a domain, walk delegation from TLD suffix through each progressively longer zone label, capture NS hostnames and SOA strings per step, and return trace array with delegationDepth, authoritativeZone, and per-step status.
This page does not perform live AXFR against authoritative servers — public AXFR attempts from third-party tools often fail or trigger alerts. Instead it maps the delegation chain that determines who could answer transfer requests, surfacing misconfigured NS cuts and stale registrar glue that precede transfer exposure. Pair with nameserver-lookup and DNSSEC checker for complete hardening reviews.
Common use cases
- •View all DNS records of a domain after migration
- •Confirm DNS records after domain changes
- •Test for DNS leaks when using a VPN
- •Debug email delivery with MX and TXT records
Why use VSPIC for ?
- Full delegation walk for zone transfer risk context.
- NS and SOA captured together at every zone cut.
- authoritativeZone identifies deepest zone file owner.
- Status text per step aids NXDOMAIN debugging.
- Structured JSON for security assessment reports.
- Free instant trace — no account required.
Zone transfer risk in context
AXFR replicates entire zone files to secondary servers — essential for legitimate DNS operations, catastrophic when any internet client can request a transfer. Modern exposure often stems from misconfigured secondary NS or leaked transfer ACLs rather than open primaries, but delegation mistakes precede many incidents.
Mapping who serves each zone cut reveals whether unexpected nameservers appeared — a precursor to hijack or shadow hosting that could enable transfer attempts.
dns-trace backend behavior
Action dns-trace with domain parameter powers this page — identical JSON to dns-trace-lookup and dns-delegation-checker. Each trace step includes zone, nameservers, soa, and status from Google Public DNS queries.
delegationDepth counts steps walked. authoritativeZone names the deepest suffix in the trace array.
Reading trace steps for security review
Unexpected NS hostnames at the apex step may indicate incomplete migration or malicious delegation change. Compare trace output against intended DNS provider documentation.
SOA serial snapshots at query time help detect desynchronized secondaries — a condition that sometimes correlates with transfer misconfiguration.
AXFR versus delegation trace
This tool does not send AXFR queries. Responsible security assessment starts with delegation integrity, then authorized AXFR tests from approved lab networks against your own zones.
Public AXFR scanners may alarm operations teams — trace-based assessment is quieter and still valuable for pre-audit documentation.
Post-migration verification
After NS changes at registrar, trace daily until TLD step lists only intended nameservers. Stale TLD NS cause partial propagation and confused transfer authority.
Document trace JSON before and after cutover for compliance evidence.
Relationship to dns-delegation-checker
Same dns-trace API. DNS zone transfer test emphasizes AXFR risk and security audit language. DNS delegation checker emphasizes operational delegation validation. JSON is identical — choose page title matching your workflow vocabulary.
Cross-link dns-record-lookup for record content after confirming delegation structure.
Glue and lame delegation follow-up
Trace does not resolve glue A/AAAA for in-bailiwick NS. If NS hostnames look wrong, follow with A lookups on each nameserver from DNS record lookup.
Lame delegation requires querying each NS directly — status text may hint but does not confirm.
API automation for security CI
Call GET /ip-tools/api/extended?action=dns-trace&domain=example.com after DNS Terraform applies. Fail pipeline if unexpected NS appear at apex step compared to baseline JSON.
Cache traces briefly — recheck immediately after registrar NS updates.
Privacy and authorized testing
Trace queries public NS and SOA only. Assess domains you own or are contracted to test. We do not permanently store domain searches.
Important notes & limitations
- Does not execute AXFR — delegation analysis only.
- Starts at TLD suffix — not interactive root server walk.
- Glue A/AAAA for in-bailiwick NS not resolved in trace.
- Cannot confirm AXFR ACLs on authoritative servers.
- One resolver path — internal DNS views may differ.
Frequently Asked Questions
Yes. VSPIC offers this DNS zone transfer test at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It traces delegation with NS and SOA per zone cut via dns-trace. AXFR must be tested separately on authorized networks.
dns-trace with domain parameter — same as dns-trace-lookup.
Same backend and JSON. This page targets zone transfer security SEO; delegation checker targets operational NS validation language.
Subdomains without separate zone cuts inherit parent nameservers.
No. It assesses delegation context only. Use authorized AXFR probes on your own infrastructure for ACL verification.
Tracing begins at the TLD suffix and walks down to your full domain input.
Next step for your check
Continue with dns delegation checker on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
DNS Delegation Checker
DNS Delegation Checker — free online tool
Use Free →DNS Trace Lookup
Walk delegation chain from TLD to domain with NS and SOA at each step
Use Free →Nameserver Lookup
Registration and DNS nameserver delegation for any domain
Use Free →DNSSEC Checker
Check DNSKEY and DS records — detect DNSSEC deployment on a zone
Use Free →DNS Lookup Tool — DNS Checker
Free DNS lookup tool and DNS checker — query A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain.
Use Free →Reverse DNS Lookup
Resolve IP addresses to hostnames via PTR records
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS