Zone transfers in The Netherlands
There are many things told about zone transfers and why it is important to restrict the use of zone transfers. The DNS zone can contain sensitive information like DKIM keys or information about the internal infrastructure. And because of this I actually thought it was not so common anymore. A while ago I ran into a nameserver with an insecure zone transfer (AXFR) setting. Allowing zone transfers for the whole world will also allow the bad guys extract useful information from a zone that can be used to create a map of the network infrastructure.
AXFR can leak sensitive information
Many services are depending on DNS and it is getting more and more used for serving information. Sometime’s companies are putting some inside information in their DNS that others do not need to know. Maybe the information that is in the DNS looks innocent, but if you are a target for criminal hackers, or state sponsored hackers, the can get very much information from your nameserver. That is why we advice to disable AXFR for the whole world.