乐闻世界logo
搜索文章和话题

What is DNS Zone Transfer (AXFR/IXFR)

3月6日 22:54

DNS Zone Transfer is the process of synchronizing zone data between DNS servers. The master server transfers the complete zone file or incremental updates to slave servers, ensuring data consistency.

Types of Zone Transfers

AXFR (Full Zone Transfer)

Definition: Transfers the complete zone file.

Characteristics:

  • Transfers all DNS records
  • Large data volume, long transfer time
  • Suitable for initial synchronization or complete rebuild

Workflow:

shell
Slave Server → AXFR Request → Master Server
    Master Server sends complete zone data
    Slave Server receives and updates

IXFR (Incremental Zone Transfer)

Definition: Only transfers changed parts.

Characteristics:

  • Only transfers changed records
  • Small data volume, fast transfer
  • Suitable for daily synchronization

Workflow:

shell
Slave Server → IXFR Request (with SOA Serial) → Master Server
    Master Server checks Serial
    Sends changed records
    Slave Server incrementally updates

SOA Serial Mechanism

Role of Serial

The Serial field in the SOA record identifies the version number of the zone file:

dns
example.com.    3600    IN    SOA    ns1.example.com. admin.example.com. (
                        2024010101    ; Serial (YYYYMMDDNN)
                        3600          ; Refresh
                        1800          ; Retry
                        604800        ; Expire
                        86400 )       ; Minimum TTL

Serial Formats

FormatExampleDescription
YYYYMMDDNN2024010101Year-Month-Day-Sequence
Unix Timestamp1704067200Unix timestamp
Custom1001Arbitrary incrementing number

Serial Comparison Rules

shell
Slave Serial: 2024010100
Master Serial: 2024010101

Master Serial > Slave Serial → Transfer needed

Zone Transfer Configuration

Master Server Configuration

bind
; named.conf
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    
    // Allow transfer to slave servers
    allow-transfer {
        192.0.2.10;  // Slave 1
        192.0.2.11;  // Slave 2
        key tsig-key;    // TSIG authentication
    };
    
    // Notify slave servers of updates
    also-notify {
        192.0.2.10;
        192.0.2.11;
    };
};

Slave Server Configuration

bind
; named.conf
zone "example.com" {
    type slave;
    file "/etc/bind/db.example.com.slave";
    
    // Master server address
    masters {
        192.0.2.1;
    };
    
    // Allow notifications
    allow-notify { 192.0.2.1; };
};

TSIG Authentication Configuration

bash
# Generate TSIG key
dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST -T KEY tsig-key

# Master server configuration
key "tsig-key" {
    algorithm hmac-sha256;
    secret "Base64EncodedSecret==";
};

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { key tsig-key; };
};

# Slave server configuration
key "tsig-key" {
    algorithm hmac-sha256;
    secret "Base64EncodedSecret==";
};

zone "example.com" {
    type slave;
    file "/etc/bind/db.example.com.slave";
    masters { 192.0.2.1 key tsig-key; };
};

Zone Transfer Process

AXFR Transfer Process

shell
1. Slave sends AXFR request
2. Master checks permissions
3. Master sends SOA record
4. Master sends all resource records
5. Master sends SOA record again (end marker)
6. Slave verifies and updates data

IXFR Transfer Process

shell
1. Slave sends IXFR request (with current Serial)
2. Master compares Serial
3. If Serial same → Return SOA (no update needed)
4. If Serial updated → Send changed records
5. Slave incrementally updates
6. Master sends SOA (end marker)

Zone Transfer Optimization

1. Use IXFR Instead of AXFR

bind
; Master server configuration
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { 192.0.2.10; };
    // Enable IXFR
    allow-notify { 192.0.2.10; };
};

Advantages:

  • Reduce data transfer volume
  • Speed up synchronization
  • Lower network load

2. Set Refresh Interval Reasonably

dns
; SOA record
example.com.    3600    IN    SOA    ns1.example.com. admin.example.com. (
                        2024010101    ; Serial
                        3600          ; Refresh (1 hour)
                        1800          ; Retry (30 minutes)
                        604800        ; Expire (7 days)
                        86400 )       ; Minimum TTL (1 day)

Parameter Descriptions:

  • Refresh: Interval for slave to check for updates
  • Retry: Retry interval after refresh failure
  • Expire: Slave data expiration time

3. Restrict Transfer Permissions

bind
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    // Only allow specific IPs to transfer
    allow-transfer {
        192.0.2.10;
        192.0.2.11;
    };
    // Deny all others
    allow-transfer { none; };
};

4. Use NOTIFY Mechanism

bind
; Master server actively notifies slave servers
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    also-notify {
        192.0.2.10;
        192.0.2.11;
    };
};

Advantages:

  • Master notifies immediately after changes
  • Reduces slave server polling
  • Speeds up synchronization

Zone Transfer Monitoring

Monitor Transfer Status

bash
# View BIND logs
tail -f /var/log/syslog | grep "zone transfer"

# View transfer success/failure
tail -f /var/log/syslog | grep "AXFR\|IXFR"

Monitor Serial Changes

bash
# Check SOA Serial
dig @ns1.example.com SOA example.com +short

# Compare master and slave Serial
dig @master.example.com SOA example.com +short
dig @slave.example.com SOA example.com +short

Set Alerts

bash
# Serial mismatch alert
MASTER_SERIAL=$(dig @master.example.com SOA example.com +short | awk '{print $3}')
SLAVE_SERIAL=$(dig @slave.example.com SOA example.com +short | awk '{print $3}')

if [ "$MASTER_SERIAL" != "$SLAVE_SERIAL" ]; then
    echo "Serial mismatch! Master: $MASTER_SERIAL, Slave: $SLAVE_SERIAL"
    # Send alert
fi

Common Interview Questions

Q: What's the difference between AXFR and IXFR?

A:

  • AXFR (Full Zone Transfer): Transfers complete zone file, large data volume
  • IXFR (Incremental Zone Transfer): Only transfers changed parts, small data volume, fast

Q: What's the role of SOA Serial?

A:

  • Identifies version number of zone file
  • Used to determine if zone transfer is needed
  • When Serial increments, slave requests update

Q: How to ensure zone transfer security?

A:

  1. TSIG Authentication: Use shared key to sign transfer
  2. Access Control: Restrict allowed transfer IP addresses
  3. Encrypted Transfer: Use VPN or encrypted channel

Q: Why do we need multiple slave servers?

A:

  1. High Availability: When master fails, slaves continue serving
  2. Load Distribution: Multiple slaves share query load
  3. Geographic Distribution: Slaves in different regions reduce latency

Summary

AspectDescription
AXFRFull zone transfer, large data volume
IXFRIncremental zone transfer, small data volume
SOA SerialVersion number, determines if transfer needed
Configuration Pointsallow-transfer, masters, TSIG
Optimization DirectionUse IXFR, set reasonable refresh interval, NOTIFY mechanism
Security ConsiderationsTSIG authentication, access control, encrypted transfer

标签:DNS
热门标签
更多
Git(114)C语言(23)C++(15)React(34)前端(148)Cypress(30)JavaScript(56)Linux(20)Docker(65)Rust(10)TypeScript(27)Mongoose(18)MySQL(8)Vue(13)Tailwind CSS(29)CSS(19)ElasticSearch(24)网络(12)TypeORM(31)