Description
You may find that you want to transfer control of a domain to another of your DNS Cluster members or another DNS server entirely. In order to do so, you would need to ensure that DNS Transfers are allowed and then ensure that the security for the domain is configured in a way that allows for this transfer to occur.
Procedure
First, ensure that the receiving servers are allowed to transfer domains from the originating server.
Bind:
On a BIND server, in order to enable zone transfers, you need to add and, or modify the following configuration value within the file /etc/named.conf:
allow-transfer
This specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the allow-transfer statement set in options or view. If not specified, the default is to allow transfers to all hosts.
https://bind9.readthedocs.io/en/v9_16_6/reference.html?highlight=allow-transfer
As this snippet from BIND's documentation suggests, on BIND the default behavior allows zone transfers. You can change this behavior to use a specific set of IPs by adding, or modifying, the following snippet to BIND's configuration file at /etc/named.conf:
options {
allow-transfer {1.2.3.4;};
};
Note: If the options { } section already exists in the configuration file, you only need to add the allow-transfer directive to the options section.
On a cPanel server, after making the above change, you will need to run the following two commands to rebuild BIND's configuration and restart it:
/scripts/rebuilddnsconfig
/scripts/restartsrv_named
PowerDNS:
For PowerDNS, the option that may need to be modified is:
disable-axfr=no
You may need to add this value to your configuration file at /etc/pdns/pdns.conf. By default, this value is set to "No", which means that by default, zone transfers are allowed as explained in PDNS's official documentation:
https://doc.powerdns.com/authoritative/settings.html
After adding the above value, you would also want to specify the servers allowed to request the zone; This can be done by adding or modifying the allow-axfr-ips directive. As an example:
allow-axfr-ips=1.2.3.4
You would then need to run the same commands previously mentioned to rebuild and restart the name server to make the changes permanent:
/scripts/rebuilddnsconfig
/scripts/restartsrv_named
After successfully modifying the DNS configurations, be sure to test the AXFR from the remote server.
To perform this test execute a dig against the zone requesting the AXFR record. As an example:
dig AXFR domain.tld @yourserver
If this command pulls the complete zone record Zone Transfer will function normally.
If you have DNSSEC enabled within your server, you may also need to disable nsec3 semantics to ensure the transfer is properly allowed and accepted. The following API command can be used to perform this for a single domain:
/usr/local/cpanel/bin/whmapi1 unset_nsec3_for_domains domain=domain.tld