HIGH zone transferazure

Zone Transfer on Azure

Scan your API now

How Zone Transfer Manifests in Azure

Azure DNS provides a managed service for hosting DNS zones, both public and private. A zone transfer (AXFR) allows a DNS client to request a complete copy of a zone’s resource records. If the zone is configured to allow transfers to unrestricted or unintended IP addresses, an attacker can enumerate all internal hostnames, services, and potentially sensitive information.

In Azure, the setting that controls zone transfers is the allowTransfer property on a DNS zone. When this property is set to * (any IP) or includes IP ranges that should not have access, the zone becomes vulnerable. Misconfigurations often appear in infrastructure‑as‑code templates, scripts, or ad‑hoc portal changes.

Typical Azure‑specific code paths that can introduce the issue include:

  • Azure CLI: az network dns zone update -g MyGroup -n contoso.com --allow-transfer *
  • Azure PowerShell: Set-AzDnsZone -ResourceGroupName MyGroup -Name contoso.com -AllowTransfer @() (empty array means none; forgetting to set it leaves the default, which may be *).
  • ARM template/Bicep: the properties.maxNumberOfRecordSets is unrelated, but the properties.allowZoneTransfer object (or missing) determines the policy. Example of a vulnerable Bicep snippet:
resource dnsZone 'Microsoft.Network/dnsZones@2020-04-01' = {
  name: 'contoso.com'
  location: 'global'
  properties: {
    // allowZoneTransfer omitted → Azure defaults to allowing transfers from any IP
  }
}

When the zone is publicly exposed (the default for public DNS zones), any Internet‑hosted resolver can issue a TCP AXFR query to the Azure DNS name servers and receive the full zone file.

Azure‑Specific Detection

Detecting an unsafe zone transfer configuration involves two steps: verifying the DNS service’s exposure and checking the allowTransfer setting.

middleBrick can help by scanning the Azure DNS management API endpoint, which returns the zone’s properties including the transfer policy. A request such as:

GET https://management.azure.com/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Network/dnsZones/{zoneName}?api-version=2020-04-01
Authorization: Bearer

returns JSON that contains a allowZoneTransfer block. If this block is missing, empty, or specifies * or overly broad IP ranges, middleBrick flags it under the “Data Exposure” category with a severity of “high”.

To run the check with the middleBrick CLI:

middlebrick scan https://management.azure.com/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/dns-rg/providers/Microsoft.Network/dnsZones/contoso.com?api-version=2020-04-01

The scanner will parse the response, note the presence or absence of restrictive transfer rules, and include a finding such as:

  • Finding: DNS zone allows zone transfer from any IP ("*")
  • Severity: High
  • Remediation Guidance: Restrict zone transfer to specific IP addresses or disable it entirely.

Beyond API scanning, administrators can also:

  • Enable Azure DNS diagnostic logs and look for AXFR queries from unexpected sources.
  • Use Azure Policy rule "Microsoft.Network/dnsZones should restrict zone transfer" to continuously evaluate zones.
  • Run az network dns zone show and inspect the allowTransfer field manually.

Azure‑Specific Remediation

Remediation consists of explicitly configuring the allowZoneTransfer property to either an empty array (no transfers) or a list of trusted IP addresses/IP ranges.

**Azure CLI** – restrict to a specific IP:

az network dns zone update \
  --resource-group dns-rg \
  --name contoso.com \
  --allow-transfer 203.0.113.45 198.51.100.0/24

**Azure PowerShell** – disable transfers:

Set-AzDnsZone -ResourceGroupName dns-rg -Name contoso.com -AllowTransfer @()

**Bicep** – define a secure zone:

resource dnsZone 'Microsoft.Network/dnsZones@2020-04-01' = {
  name: 'contoso.com'
  location: 'global'
  properties: {
    allowZoneTransfer: [
      {
        protocol: 'Udp'
        port: 53
        ipAddress: '203.0.113.45'
      }
    ]
  }
}

**ARM Template** – same idea:

{
  "type": "Microsoft.Network/dnsZones",
  "apiVersion": "2020-04-01",
  "name": "contoso.com",
  "location": "global",
  "properties": {
    "allowZoneTransfer": [
      {
        "protocol": "Udp",
        "port": 53,
        "ipAddress": "203.0.113.45"
      }
    ]
  }
}

To enforce the setting across subscriptions, assign an Azure Policy definition such as:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Network/dnsZones"
      },
      {
        "field": "Microsoft.Network/dnsZones/allowZoneTransfer",
        "exists": "false"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

After applying any of the above fixes, re‑run the middleBrick scan to confirm that the finding is resolved and the security score improves.

Scan your API now Free API security scan

Frequently Asked Questions

Does middleBrick directly test DNS zone transfer (AXFR) over TCP/53?
No. middleBrick scans API endpoints over HTTP/HTTPS. It detects unsafe zone transfer configurations by examining the Azure DNS management API’s allowZoneTransfer property. If the DNS service itself is exposed via a custom API that proxies DNS queries, middleBrick can test that endpoint, but it does not perform raw TCP AXFR queries.
How often should I check my Azure DNS zones for zone transfer misconfigurations?
Continuous validation is recommended. By adding the middleBrick GitHub Action or using Azure Policy, you can evaluate zones on every pull request or on a scheduled basis (e.g., daily). This ensures that any drift back to an insecure setting is caught promptly.

Related Pages

Zone Transfer in APIsZone Transfer in APIsAzure API SecurityAPI security considerations for Azure platforms including App Service, Functions, and API Management. Learn Azure-specifZone Transfer with Basic AuthLearn how zone transfer vulnerabilities in Basic Auth APIs allow authenticated users to access resources across differenZone Transfer with Bearer TokensLearn how Zone Transfer attacks exploit Bearer Tokens across security boundaries and how to detect and prevent them withZone Transfer with Hmac SignaturesLearn how flawed HMAC signature validation can lead to API zone transfers, how middleBrick detects it, and code‑level fiZone Transfer with Api KeysLearn how zone transfer vulnerabilities expose API key metadata and configuration data, with detection methods and remedZone Transfer in CassandraDetect Cassandra zone transfer (topology leak) via unauthenticated system table access. middleBrick scans for data exposZone Transfer in CockroachdbLearn how CockroachDB zone configurations can be exposed like a DNS zone transfer, how middleBrick detects the issue, anGdpr: Zone TransferLearn how GDPR applies to DNS zone transfer risks, detection via middleBrick, and BIND/DNS remediation steps to prevent Iso 27001: Zone TransferLearn how ISO 27001 applies to zone transfer risks in API security, including detection and remediation using middleBricCis: Zone TransferLearn how client input sanitization failures in zone transfer APIs create BOLA/IDOR risks, and how to detect/fix them wiHipaa: Zone TransferHipaa compliance requires protection of PHI, but Zone Transfer vulnerabilities can expose internal DNS records that reve