DNS zone transfers are a tool for domain name administrators to replicate their DNS databases across their organization's DNS servers. The problem that arises is that this can reveal a great deal of information about an organization's infrastructure. For this reason, typically, DNS servers are configured to not allow a zone transfer. To attempt a zone transfer using dnsrecon, we would use the -a flag (AXFR), or you can use the -t flag with type axfr. The axfr type is the query type that denotes DNS zone transfer. The command to run a zone transfer would look like the following:

dnsrecon -d google.com -a

As you can see, in our example the zone transfers fail, but it never hurts to try. Every now and then, you may come across a DNS server that has not been configured correctly to prevent this.