Using 'Dig' to zone transfer but gets a 'timed out connection'

Question

i am corrently trying to test a zone transfer via dig (9.8.4) with the following command:

dig axfr @ns.server.com domainname.com

and i get the following error:(notice its not a declined zone transfer error)

<<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> axfr @ns12.zoneedit.com zonetransfer.me
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

if i query the server without any attr i am getting a respone.

e.g  dig ns.server.com domainname.com

Do you get a response if you leave out all options, e.g. `dig @ns.server.com domainname.com`? — dartonw, Mar 15 '15 at 16:09
It's best to edit additional information like that into the original question. — Andrew B, Mar 15 '15 at 17:35

score 3 · Answer 1 · answered Mar 15 '15 at 17:35

3

Zone transfers rarely fit within a 512 byte UDP reply packet. Most programs implicitly switch over to using TCP when a zone transfer is requested, and dig is one of them: the +tcp option is implicitly set. The most likely scenario is that your firewall is passing UDP traffic on port 53 but not TCP traffic.

answered Mar 15 '15 at 17:35

Andrew B

32,588
12
93
131

can i increase the amounts of bytes of a UDP reply packet? if not, the only solution is to allow TCP traffic on port 53? – Sahar Mar 15 '15 at 17:38
You need to open TCP 53 regardless. Software *expects* to be able to use TCP fallback when they receive truncated UDP replies. There is a standard for larger reply packets over UDP (EDNS0 extensions), but it is not supported by everything. – Andrew B Mar 15 '15 at 18:02

Using 'Dig' to zone transfer but gets a 'timed out connection'

1 Answers1