MDAXFR allows you to perform a DNS Zone Transfer against a target domain by resolving all of the domains nameservers to their respective A/AAAA records and making an AXFR attempt against every single nameserver IP address. You can also use this tool against the Root Nameservers and Top-level Domains (TLD), including those in the Public Suffix List (PSL) aswell.
It is expected to set realistic expectations when using this tool. In contemporary network configurations, AXFR requests are typically restricted, reflecting best practices in DNS security. While many nameservers now disallow AXFR requests, there may still be occasional instances where configurations permit them. Always exercise due diligence and ensure ethical use.
Testing every IP is critical because it only takes one misconfigured nameserver to expose a zone. It is common to find that only one or two nameservers out of several have AXFR left open while the rest properly block it. If you only test one nameserver or dont resolve the all of the nameserver, you risk missing the one that is misconfigured.
- AXFR a single domain
./mdaxfr ripe.net- AXFR a list of domains
cat domain_list.txt | ./mdaxfr.. or for parellel lookups you can use GNU Parallel:
parallel -a domain_list.txt -j 10 ./mdaxfr- AXFR all domains in an AXFR output file
domain="ripe.net" cat axfr-ripe.log | grep -aE "\s+IN\s+NS\s+" | grep -avE "^${domain}\.\s+" | awk '{print $1}' | sort -u | sed 's/\.$//' | ./mdaxfr- AXFR on all TLDs
curl -s 'https://data.iana.org/TLD/tlds-alpha-by-domain.txt' | tail -n +2 | tr '[:upper:]' '[:lower:] | ./mdaxfr- AXFR on all PSL TLDs
curl -s https://publicsuffix.org/list/public_suffix_list.dat | grep -vE '^(//|.*[*!])' | grep '\.' | awk '{print $1}' | ./mdaxfr- A python version of this tool with better concurrency control is available here:
python ./extras/mdaxfr.py --tlds -c 30As of the last scan in 2026, the following 15 TLDs allow zone transfers from their official nameservers:
| TLD | Records |
|---|---|
| arpa | 229 |
| bw | 69,146 |
| do | 52,016 |
| er | 64 |
| fj | 7,614 |
| gn | 3,908 |
| gp | 5,663 |
| mp | 2,340 |
| mw | 5,663 |
| my | 1,702,972 |
| ps | 20,661 |
| xn--54b7fta0cc (বাংলা) | 1,555 |
| xn--mgbx4cd0ab (مليسيا) | 18 |
| xn--wgbh1c (مصر) | 2,313 |
| xn--ygbi2ammx (فلسطين) | 446 |
Some TLDs that allow AXFR also expose their sub-zones (e.g. com.er, edu.er, org.er, ac.mw, co.mw, com.mw, etc). These sub-zone transfers are handled by the extras/ozones script, which also covers zones only available through dedicated zone transfer servers like ch, li, ee, nu, and se.
I only wrote this to shit on this bozo who took a dead project & brought it back to life by making it even worse. Rather than making a pull request to give this bloke more credit in his "tenure" as a developer, I decided to just rewrite it all from scratch so people can fork off of clean code instead.
The addition scripts in this repository provide additional zone files from dedicated zone transfer servers and sub-zones that aren't covered by standard TLD scanning.
For laughs, here is a one-liner mass zone axfr:
curl -s https://www.internic.net/domain/root.zone | awk '$4=="A" || $4=="AAAA" {print substr($1, 3) " " $5}' | sed 's/\.$//' | xargs -n2 sh -c 'dig AXFR "$0" "@$1"'Note: Don't actually use this LOL...
It is interesting to have seen this has worked on some "darknet" DNS servers...would maybe look into exploring collecting more zones for alterntive DNS routing. I am also intruiged at how much you can explore ARPANET with AXFRs. Nested zones under arpa (such as in-addr.arpa, ip6.arpa, ip6-servers.arpa, etc) can also be AXFR'd.