Simeon

AXFR is not a valid query type for udp packets.

I have the following in my protocols.cfg:

# Zone transfer TCP/53 check
[axfr]
# Zone transfer test
#
# If you adjust the zone name "xymon-test", you must also
# adjust the preceeding two bytes (\0x00\0x0a=10 decimal) to
# match the length of the zone and also adjust the 2nd byte
# (0x1c=28 decimal) to be the zone name length
# plus 18 (or the size of the whole send string minus 2).
#
# The third and fourth bytes (both 0xff) are simply the DNS query
# ID, and will be the same in the response.
#
# We expect a response exactly the same but with "0x80 0x89" just
after
# the ID for a "NOTAUTH" (RCODE=9) response.
#
# The zone to be queried must be such that it fails (either
# a forward zone or a non-existent zone, giving NOTAUTH to dig),
# otherwise the response length will be different and we won't be
# able to match it in our expect string.
#
# If you want to query a valid domain, don't use send/expect at all.
# because the first two bytes in the response can't be reliably
# predicted.

port 53
send
"\x00\x1c\xff\xff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"
expect
"\x00\x1c\xff\xff\x80\x89\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"

# Zone transfer TCP/53 check
[axfr2]
# like axfr, but with RCODE=5 instead of 9
port 53
send
"\x00\x1c\xff\xff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"
expect
"\x00\x1c\xff\xff\x80\x85\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"

Then just add axfr or axfr2 (depending on what the server responds with) to
hosts.cfg. RCODE 5 means "refused", RCODE 9 means "not authoritative".
Servers that restrict AXFR will return 5.

I know it's not exactly what you're looking for but it might be a place to
start.

J