Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

The SecOps Group CNSP Exam - Topic 6 Question 19 Discussion

Actual exam question for The SecOps Group's CNSP exam
Question #: 19
Topic #: 6
[All CNSP Questions]

Which command will perform a DNS zone transfer of the domain "victim.com" from the nameserver at 10.0.0.1?

Show Suggested Answer Hide Answer
Suggested Answer: D

A DNS zone transfer replicates an entire DNS zone (a collection of DNS records for a domain) from a primary nameserver to a secondary one, typically for redundancy or load balancing. The AXFR (Authoritative Full Zone Transfer) query type, defined in RFC 1035, facilitates this process. The dig (Domain Information Groper) tool, a staple in Linux/Unix environments, is used to query DNS servers. The correct syntax is:

dig @<nameserver> <domain> axfr

Here, dig @10.0.0.1 victim.com axfr instructs dig to request a zone transfer for 'victim.com' from the nameserver at 10.0.0.1. The @ symbol specifies the target server, overriding the system's default resolver.

Technical Details:

The AXFR query is sent over TCP (port 53), not UDP, due to the potentially large size of zone data, which exceeds UDP's typical 512-byte limit (pre-EDNS0).

Successful execution requires the nameserver to permit zone transfers from the querying IP, often restricted to trusted secondaries via Access Control Lists (ACLs) for security. If restricted, the server responds with a 'REFUSED' error.

Security Implications: Zone transfers expose all DNS records (e.g., A, MX, NS), making them a reconnaissance goldmine for attackers if misconfigured. CNSP likely emphasizes securing DNS servers against unauthorized AXFR requests, using tools like dig to test vulnerabilities.

Why other options are incorrect:

A . dig @10.0.0.1 victim.com axrfr: 'axrfr' is a typographical error. The correct query type is 'axfr.' Executing this would result in a syntax error or an unrecognized query type response from dig.

B . dig @10.0.0.1 victim.com afxr: 'afxr' is another typo, not a valid DNS query type per RFC 1035. dig would fail to interpret this, likely outputting an error like 'unknown query type.'

C . dig @10.0.0.1 victim.com arfxr: 'arfxr' is also invalid, a jumbled version of 'axfr.' It holds no meaning in DNS protocol standards and would fail similarly.

Real-World Context: Penetration testers use dig ... axfr to identify misconfigured DNS servers. For example, dig @ns1.example.com example.com axfr might reveal subdomains or internal IPs if not locked down.


by Selene at Mar 31, 2026, 02:28 AM

Limited Time Offer

25%

Off

Get Premium CNSP Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel

Currently there are no comments in this discussion, be the first to comment!


Save Cancel