axfr2hosts is a tool meant to do a DNS zone transfer in a form of AXFR transaction of one or more zones towards a single DNS server and convert received A, AAAA and CNAME records from a DNS responses into a hosts file for a local use, for instance when DNS servers are unreachable and/or down.
By default hosts entries will be sorted its IP as a key and under each entry individual FQDNs will be sorted alphabetically.
If needed, axfr2hosts can also read and parse local RFC 1035 zones (for instance BIND 9 zone files) and process A and CNAME records into a hosts file as described above so that a zone transfer is not needed.
Either of:
- Ability to do a full zone transfer (AXFR), usually permitted with
allow-transferin BIND 9 or withallow-axfr-ipsin PowerDNS, - Permissions to read RFC 1035 zone files locally.
There are two ways of installing axfr2hosts:
Download your preferred flavor from the releases page and install manually, typically to /usr/local/bin/axfr2hosts.
go install github.com/dkorunic/axfr2hosts@latestUsage: ./axfr2hosts [options] zone [zone2 [zone3 ...]] [@server[:port]]
-cidr_list string
Use only targets from CIDR whitelist (comma separated list)
-cpu_profile string
CPU profile output file
-greedy_cname
Resolve out-of-zone CNAME targets (default true)
-ignore_star
Ignore wildcard records (default true)
-max_retries uint
Maximum DNS zone transfer attempts (default 3)
-max_transfers uint
Maximum parallel zone transfers (default 10)
-mem_profile string
memory profile output file
-resolver_address string
DNS resolver (DNS recursor) IP address
-resolver_timeout duration
DNS queries timeout (should be 2-10s) (default 10s)
-strip_domain
Strip domain name from FQDN hosts entries
-strip_unstrip
Keep both FQDN names and domain-stripped names
-verbose
Enable more verbosity
1) If server was not specified, zones will be parsed as RFC 1035 zone files on a local filesystem,
2) We also permit zone=domain argument format to infer a domain name for zone files.
For more information visit project home: https://github.com/dkorunic/axfr2hostsAt minimum, a single zone and a single server are needed for any meaningful action.
Typical use case would be:
axfr2hosts dkorunic.net pkorunic.net @172.64.33.146However the tool by default follows CNAMEs even if they are out-of-zone and resolves to one or more IP addresses if possible and lists all of them. That behaviour can be changed with -greedy_cname=false flag.
Also, by default tool lists wildcard (DNS labels containing *) like they are ordinary labels and that can be changed with -ignore_star=true flag, which simply skips over those records.
Finally if there is a need to list only a subset of records matching one or more CIDR ranges, -cidr_list flag can be used.
If there is a lot of zones that need to be fetched at once, tool works well with xargs. Individual zone errors will be displayed and such zones will be skipped over:
xargs axfr2hosts @nameserver < listMaximum of concurrent zone transfers is limited by -max_transfers flag and defaults to 10, aligned with BIND 9 default (transfers-out in BIND 9 named.conf).
It is also possible to output hosts file with domain names stripped by using -strip_domain=true flag. It is also possible to keep both domain-stripped labels and FQDNs at the same time by using -strip_unstrip=true flag. When using many domains at once, either of these options do not make much sense.
It is also possible to directly process RFC 1035 zone files on a local filesystem when a nameserver is not been specified. We would typically recommend specifying a domain name manually by suffixing the zone file with = and domain name as shown below, as one inferred from a zone can possibly be invalid (due to lack of top-level $ORIGIN and/or all records being non-FQDN and/or being suffixed with @ macro):
axfr2hosts dkorunic.net.zone=dkorunic.netIn case you are wondering what dns: bad xfr rcode: 9 means, here is a list of DNS response codes:
| Response Code | Return Message | Explanation |
|---|---|---|
| 0 | NOERROR | No error |
| 1 | FORMERR | Format error |
| 2 | SERVFAIL | Server failure |
| 3 | NXDOMAIN | Name does not exist |
| 4 | NOTIMP | Not implemented |
| 5 | REFUSED | Refused |
| 6 | YXDOMAIN | Name exists |
| 7 | YRRSET | RRset exists |
| 8 | NXRRSET | RRset does not exist |
| 9 | NOTAUTH | Not authoritative |
| 10 | NOTZONE | Name not in zone |