DNS zone transfers, if not restricted, can lead to what risk?

Unrestricted DNS zone transfers reveal the entire set of DNS records in a zone. A zone transfer copies the DNS data from a primary server to secondary servers to keep them in sync. When this process isn’t restricted, an attacker can request a transfer and receive the complete list of hostnames, IP addresses, and other records in that zone. That means internal hosts, subdomains, and the underlying network layout become visible, which is valuable reconnaissance for future attacks, phishing, or targeted exploitation. This isn’t primarily about causing a denial of service; while transferring large zones could impact availability, the core risk described here is the exposure (exfiltration) of DNS information. DNS cache poisoning and IP spoofing involve different attack vectors—zone transfers don’t directly cause those issues, so they’re not the primary risk in this context.