I‘m trying to get data (AXFR query) from master tinydns server to secondary DNS server using tcpclient as follows:
tcpclient -v a.ns.example.com 53 axfr-get example.com example.com example.com.tmp

But I’m getting an error which read as follows:

>axfr-get: fatal: unable to parse AXFR results: protocol error

How do I fix this problem?

Try the following to get rid of this problem:

Make Sure axfrdns Configured and Running

axfrdns is a DNS zone-transfer server supplied with djbdns. It reads a zone-transfer request in DNS-over-TCP format from its standard input, and responds with locally configured information. Use netstat command or sockstat command to see current port status:
# netstat -tulpn | grep :53
# sockstat -4 -p 53

Make Sure TCP port 53 is Open For Business

Make sure firewall is not blocking tcp port # 53. Use iptables command to list current firewall rules:
# iptables -L -n
# iptables -L -n | less
# iptables -L -n | grep 53

PF firewall rules can be listed using the following command:
# pfctl -sr
# pfctl -sr | grep "port = domain"

How Do I Open TCP Port # 53 under Linux Iptables Firewall?

Update your script as follows (assuming that is tinydns / axfrdns server address):

$IPT -A INPUT -i eth0 -s 0/0 -d -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -s 0/0 -d -p tcp --dport 53 -j ACCEPT

How Do I Open TCP Port # 53 under *BSD PF Firewall?

Update your /etc/pf.conf as follows (assuming that is tinydns / axfrdns server address):

pass in on $ext_if inet proto udp from any to port domain
pass in on $ext_if inet proto tcp from any to  port domain flags S/SA synproxy state

Make Sure TCPRULES are Set Correctly For axfrdns

tcp file defines rules for AXFR. The following will allow only AXFR to ns2.example.com but not to the rest of the world (tcp file is located at /etc/axfardns or /var/axfardns directory):


Save and close the file. Run make to update changes:
# make
Only ns2.example.com is allowed to transfer zone, others can only connect to TCP port 53.

Troubleshooting Tip: Dig and tcpclient Command

Try tcpclient command as follows:
$ tcpclient -v ns1.example.com 53 axfr-get example.com fn fn.tmp
Try passing client IP to ns1.example.com (this is required if you’ve multiple IP address):
$ tcpclient -i ns2.example.com -v ns1.example.com 53 axfr-get oxdba.net fn fn.tmp
Try dig command as follows:
$ dig @ns1.example.com example.com A +tcp
$ dig @ns1.example.com example.com AXFR +tcp

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz