AXFR is a DNS zone transfer mechanism—a full dump of all DNS records from a primary nameserver to a secondary one. Short for "Asynchronous Full Transfer."
Legit use: replicating zones across nameservers for redundancy and load balancing. Normal operation requires authentication between servers.
The catch: if your nameserver allows unauthenticated AXFR queries, anyone on the internet can request a complete zone dump. This leaks your entire DNS infrastructure—every subdomain, mail server, IP address, internal naming schemes. Reconnaissance gift to attackers.
Bunkerdomains angle: if you run your own nameserver or use an edge provider, disable AXFR or restrict it to explicit secondaries only. Check your zone transfer settings regularly. Some registrars and DNS hosts leave this open by default—sloppy. We recommend checking your authoritative nameserver logs and configuration.
Related: zone files are gold for attackers. Proper DNSSEC, restrictive ACLs, and monitoring matter more than most registrants realize.