AXFR queries fail to return data despite successful dig transfer

[bycszzz]

1. Issue Title:

AXFR queries return no results for a subdomain that is otherwise queryable via dig.

Dnsx version:

1.2.2

Current Behavior:

When trying to perform an AXFR query using dnsx for a specific subdomain (inlanefreight.htb) targeting a specific nameserver (10.129.42.195), dnsx returns no records, even when using the -debug flag. The output simply displays the dnsx banner and version information without any queried records or error messages indicating an AXFR failure.

Expected Behavior:

An AXFR query should return the zone transfer records from the nameserver, similar to what dig axfr inlanefreight.htb @10.129.42.195 successfully provides. The expected behavior is for dnsx to list the records obtained from the zone transfer.

Steps To Reproduce:

1. Ensure the target DNS server at 10.129.42.195 allows AXFR for the zone inlanefreight.htb.
2. Run the following command:

   echo 'inlanefreight.htb' | dnsx -axfr -debug -r 10.129.42.195

3. Observe the output. No records are returned, only the dnsx banner and version.

Additional Information:

I have confirmed that the target DNS server (10.129.42.195) does support AXFR for inlanefreight.htb. The following dig command successfully retrieves the zone transfer:

dig axfr inlanefreight.htb @10.129.42.195

The output of the dig command shows the following (relevant parts):

inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.      604800  IN      TXT     "MS=ms97310371"
inlanefreight.htb.      604800  IN      TXT     "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb.      604800  IN      TXT     "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb.      604800  IN      NS      ns.inlanefreight.htb.
app.inlanefreight.htb.  604800  IN      A       10.129.18.15
dev.inlanefreight.htb.  604800  IN      A       10.12.0.1
internal.inlanefreight.htb. 604800 IN   A       10.129.1.6
mail1.inlanefreight.htb. 604800 IN      A       10.129.18.201
ns.inlanefreight.htb.   604800  IN      A       127.0.0.1
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 342 msec
;; SERVER: 10.129.42.195#53(10.129.42.195) (TCP)
;; WHEN: Sun Aug 31 13:56:30 CST 2025
;; XFR size: 11 records (messages 1, bytes 560)

This suggests that the issue lies specifically with how dnsx handles AXFR queries or possibly the protocol negotiation for AXFR when using its internal library compared to dig.

[dogancanbakir]

Couldn't repro,

$ dig axfr inlanefreight.htb @10.129.42.195
;; Connection to 10.129.42.195#53(10.129.42.195) for inlanefreight.htb failed: timed out.
;; Connection to 10.129.42.195#53(10.129.42.195) for inlanefreight.htb failed: timed out.

; <<>> DiG 9.10.6 <<>> axfr inlanefreight.htb @10.129.42.195
;; global options: +cmd
;; connection timed out; no servers could be reached
;; Connection to 10.129.42.195#53(10.129.42.195) for inlanefreight.htb failed: timed out.

Could you retake a look at it?

[bycszzz]

I am currently utilizing an internal machine on Hack The Box, as I do not have a suitable public-facing test environment available. I will proceed with testing at a later time. Thank you.

[bycszzz]

I found an available public DNS server for axfr testing. How should I use dnsx to perform an axfr attempt?