Skip to content

How to Fix BIND Zone Transfer Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix BIND Zone Transfer Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

BIND slave fails to transfer zones from the master with zone transfer failed: connection refused or transfer failed: permission denied — the master is not allowing zone transfers to the slave IP.

The Problem

zone example.com/IN: Transfer failed: end of file
zone example.com/IN: transfer of 'example.com' from 192.0.2.1#53:
failed while receiving responses: REFUSED

Step-by-Step Fix

Step 1: Configure allow-transfer on master

// /etc/bind/named.conf.options
options {
    allow-transfer { 192.0.2.2; 192.0.2.3; };
};

// Or per zone
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { 192.0.2.2; 192.0.2.3; };
};

Step 2: Configure TSIG key for secure transfers

key "transfer-key" {
    algorithm hmac-sha256;
    secret "BASE64_ENCODED_SECRET=";
};

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { key "transfer-key"; };
};

Step 3: Configure slave

zone "example.com" {
    type slave;
    file "/var/cache/bind/db.example.com";
    masters { 192.0.2.1 key "transfer-key"; };
};

Step 4: Generate TSIG key

tsig-keygen -a hmac-sha256 transfer-key

Step 5: Check port 53 connectivity

nc -zv 192.0.2.1 53

Step 6: Test transfer with dig

dig @192.0.2.1 example.com AXFR

Prevention Tips

  • Restrict zone transfers to specific slave IPs only
  • Use TSIG keys for authenticated transfers
  • Never allow allow-transfer { any; }; in production
  • Monitor zone transfer logs on both master and slave

Common Mistakes with transfer error

  1. Using foldl instead of foldl' causing stack overflow on large lists
  2. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  3. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable

These mistakes appear frequently in real-world BIND code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why does BIND zone transfer fail with "REFUSED"?

The master server is not configured to allow transfers to your IP. Add the slave IP to the allow-transfer list on the master, either in the global options or per-zone. Also check that the slave IP is not blocked by a firewall.

What is TSIG and why should I use it for zone transfers?

TSIG (Transaction Signatures) uses shared secret keys to authenticate DNS messages between servers. It prevents unauthorized zone transfers and ensures the data comes from a trusted source. Always use TSIG for production zone transfers.

How do I test a zone transfer from the command line?

Use dig @master-ip example.com AXFR for full transfer or dig @master-ip example.com IXFR=serial for incremental. If the transfer succeeds, you see all DNS records. A REFUSED response indicates the master is not allowing transfers.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro