axfr2hosts is a tool meant to do a DNS zone transfer in a form of AXFR transaction of one or more zones towards a single DNS server and convert received A and CNAME records from a requested zones into a Unix hosts file for a sysops use, for instance when DNS server is otherwise unreachable and/or down.
By default hosts entries will be sorted its IP as a key and under each entry individual FQDNs will be sorted alphabetically.
Ability to do AXFR, usually permitted with
allow-transfer in Bind 9 or with
allow-axfr-ips in PowerDNS.
There are two ways of installing axfr2hosts:
Download your preferred flavor from the releases page and install manually, typically to
Using go get
go get github.com/dkorunic/axfr2hosts
Usage: ./axfr2hosts [options] zone [zone2 [zone3 ...]] @server[:port] -cidr_list string Use only targets from CIDR whitelist (comma separated list) -greedy_cname Resolve out-of-zone CNAME targets (default true) -ignore_star Ignore wildcard records (default true) -strip_domain Strip domain name from FQDN hosts entries -strip_unstrip Keep both FQDN names and domain-stripped names
At minimum, a single zone and a single server are needed for any meaningful action.
Typical use case would be:
axfr2hosts dkorunic.net pkorunic.net @188.8.131.52
However the tool by default follows CNAMEs even if they are out-of-zone and resolves to one or more IP addresses if possible and lists all of them. That behaviour can be changed with
Also, by default tool lists wildcard (DNS labels containing
*) like they are ordinary labels and that can be changed with
-ignore_star=true flag, which simply skips over those records.
Filter results by CIDR
Finally if there is a need to list only a subset of records matching one or more CIDR ranges,
-cidr_list flag can be used.
Many zones transfer
If there is a lot of zones that need to be fetched at once, tool works well with
xargs. Individual zone errors will be displayed and such zones will be skipped over:
xargs axfr2hosts @nameserver < list
Strip domain name
It is also possible to output hosts file with domain names stripped by using
-strip_domain=true flag. It is also possible to keep both domain-stripped labels and FQDNs at the same time by using
-strip_unstrip=true flag. When using many domains at once, either of these options do not make much sense.
DNS error code responses
In case you are wondering what
dns: bad xfr rcode: 9 means, here is a list of DNS response codes:
|Response Code||Return Message||Explanation|
|3||NXDOMAIN||Name does not exist|
|8||NXRRSET||RRset does not exist|
|10||NOTZONE||Name not in zone|