New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

The SecOps Group CNSP Exam - Topic 7 Question 17 Discussion

Actual exam question for The SecOps Group's CNSP exam
Question #: 17
Topic #: 7
[All CNSP Questions]

Which command will perform a DNS zone transfer of the domain "victim.com" from the nameserver at 10.0.0.1?

Show Suggested Answer Hide Answer
Suggested Answer: D

A DNS zone transfer replicates an entire DNS zone (a collection of DNS records for a domain) from a primary nameserver to a secondary one, typically for redundancy or load balancing. The AXFR (Authoritative Full Zone Transfer) query type, defined in RFC 1035, facilitates this process. The dig (Domain Information Groper) tool, a staple in Linux/Unix environments, is used to query DNS servers. The correct syntax is:

dig @<nameserver> <domain> axfr

Here, dig @10.0.0.1 victim.com axfr instructs dig to request a zone transfer for 'victim.com' from the nameserver at 10.0.0.1. The @ symbol specifies the target server, overriding the system's default resolver.

Technical Details:

The AXFR query is sent over TCP (port 53), not UDP, due to the potentially large size of zone data, which exceeds UDP's typical 512-byte limit (pre-EDNS0).

Successful execution requires the nameserver to permit zone transfers from the querying IP, often restricted to trusted secondaries via Access Control Lists (ACLs) for security. If restricted, the server responds with a 'REFUSED' error.

Security Implications: Zone transfers expose all DNS records (e.g., A, MX, NS), making them a reconnaissance goldmine for attackers if misconfigured. CNSP likely emphasizes securing DNS servers against unauthorized AXFR requests, using tools like dig to test vulnerabilities.

Why other options are incorrect:

A . dig @10.0.0.1 victim.com axrfr: 'axrfr' is a typographical error. The correct query type is 'axfr.' Executing this would result in a syntax error or an unrecognized query type response from dig.

B . dig @10.0.0.1 victim.com afxr: 'afxr' is another typo, not a valid DNS query type per RFC 1035. dig would fail to interpret this, likely outputting an error like 'unknown query type.'

C . dig @10.0.0.1 victim.com arfxr: 'arfxr' is also invalid, a jumbled version of 'axfr.' It holds no meaning in DNS protocol standards and would fail similarly.

Real-World Context: Penetration testers use dig ... axfr to identify misconfigured DNS servers. For example, dig @ns1.example.com example.com axfr might reveal subdomains or internal IPs if not locked down.


by Stevie at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium CNSP Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Joanne
3 days ago
Option D is the way to go. I always get my DNS zone transfers right!
upvoted 0 times
...
Rueben
8 days ago
The correct answer is D. The "axfr" command is used to perform a DNS zone transfer.
upvoted 0 times
...
Nelida
13 days ago
D) dig @10.0.0.1 victim.com axfr
upvoted 0 times
...
Eden
18 days ago
I thought "axrfr" was a typo, but I can't recall if it was in the context of DNS transfers. I guess I should go with D.
upvoted 0 times
...
Tess
23 days ago
I have a vague memory of "afxr" being mentioned in a lecture, but it doesn't sound right for a zone transfer.
upvoted 0 times
...
Myrtie
29 days ago
I remember practicing with similar questions, and I feel like "axfr" is the key part, so maybe it's option D?
upvoted 0 times
...
Lucina
1 month ago
I think the command for a DNS zone transfer is supposed to include "axfr," but I'm not sure about the exact syntax.
upvoted 0 times
...
Ashton
1 month ago
Okay, let me think this through. We need to do a zone transfer, so it's got to be "axfr" at the end. And the IP address goes before the domain name. I'm feeling good about option D.
upvoted 0 times
...
Marguerita
1 month ago
Ah, I got this one! The correct syntax is definitely "dig @10.0.0.1 victim.com axfr". Nice and straightforward.
upvoted 0 times
...
Ressie
2 months ago
Hmm, I think the key here is using the "@" symbol to specify the nameserver IP address. The rest of the command looks right to me.
upvoted 0 times
...
Merlyn
2 months ago
Wait, I'm a bit confused. Is it supposed to be "axfr" or "afxr"? I can never remember the order of those letters.
upvoted 0 times
...
Gladis
2 months ago
I'm pretty sure the correct answer is D, dig @10.0.0.1 victim.com axfr.
upvoted 0 times
...

Save Cancel