I‘m trying to get data (AXFR query) from master tinydns server to secondary DNS server using tcpclient as follows:
tcpclient -v a.ns.example.com 53 axfr-get example.com example.com example.com.tmp

But I’m getting an error which read as follows:

>axfr-get: fatal: unable to parse AXFR results: protocol error

How do I fix this problem?

Try the following to get rid of this problem:

Make Sure axfrdns Configured and Running

axfrdns is a DNS zone-transfer server supplied with djbdns. It reads a zone-transfer request in DNS-over-TCP format from its standard input, and responds with locally configured information. Use netstat command or sockstat command to see current port status:
# netstat -tulpn | grep :53
# sockstat -4 -p 53

Make Sure TCP port 53 is Open For Business

Make sure firewall is not blocking tcp port # 53. Use iptables command to list current firewall rules:
# iptables -L -n
# iptables -L -n | less
# iptables -L -n | grep 53

PF firewall rules can be listed using the following command:
# pfctl -sr
# pfctl -sr | grep "port = domain"

How Do I Open TCP Port # 53 under Linux Iptables Firewall?

Update your script as follows (assuming that is tinydns / axfrdns server address):

$IPT -A INPUT -i eth0 -s 0/0 -d -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -s 0/0 -d -p tcp --dport 53 -j ACCEPT

How Do I Open TCP Port # 53 under *BSD PF Firewall?

Update your /etc/pf.conf as follows (assuming that is tinydns / axfrdns server address):

pass in on $ext_if inet proto udp from any to port domain
pass in on $ext_if inet proto tcp from any to  port domain flags S/SA synproxy state

Make Sure TCPRULES are Set Correctly For axfrdns

tcp file defines rules for AXFR. The following will allow only AXFR to ns2.example.com but not to the rest of the world (tcp file is located at /etc/axfardns or /var/axfardns directory):


Save and close the file. Run make to update changes:
# make
Only ns2.example.com is allowed to transfer zone, others can only connect to TCP port 53.

Troubleshooting Tip: Dig and tcpclient Command

Try tcpclient command as follows:
$ tcpclient -v ns1.example.com 53 axfr-get example.com fn fn.tmp
Try passing client IP to ns1.example.com (this is required if you’ve multiple IP address):
$ tcpclient -i ns2.example.com -v ns1.example.com 53 axfr-get oxdba.net fn fn.tmp
Try dig command as follows:
$ dig @ns1.example.com example.com A +tcp
$ dig @ns1.example.com example.com AXFR +tcp

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum