Hi Badli,

On Sun, Apr 23, 2023 at 02:30:36AM +0000, Badli Al Rashid via BitFolk Users wrote:
> For powerdns axfr transfer to bind secondary yes.When the firewall was not open the logs shows the below. 0 bytes as I recall.
>
> 19-Apr-2023 07:44:41.419 xfer-in: info: 0x7f9a84a8d
> c00: transfer of 'testingforonedomain.com/IN' from
> 2400:8901::f03c:93ff:fe63:5988#53: Transfer complet
> ed: 0 messages, 0 records, 0 bytes, 23.208 secs

This isn't the full log. This is just the log line saying that the
transfer is over. Yes it did fail otherwise it would be more than 0
records. But the reason for its failure is in another log line or
lines.

DNS zone transfers are always pull-based, i.e. they are initiated by
the secondary server. The other lines will also be saying which IP
address your BIND server chose as its source address for the
transfer. That might not be the address you think it should be, if
your BIND host has multiple IP addresses.

> For opening port 53 incoming and outgoing on all the interface, no. When it is open and not set to a specific IP address the AXFR is completed
>
> 9-Apr-2023 07:44:41.727 xfer-in: info: zone testin
> gforonedomain.com/IN: Transfer started.
> 19-Apr-2023 07:44:41.967 xfer-in: info: 0x7f5d90e31
> 000: transfer of 'testingforonedomain.com/IN' from
> 2400:8901::f03c:93ff:fe63:5988#53: connected using
> 2400:8901::f03c:93ff:fe63:5988#53
> 19-Apr-2023 07:44:42.447 xfer-in: info: zone testin
> gforonedomain.com/IN: transferred serial 2023041905
> 19-Apr-2023 07:44:42.447 xfer-in: info: 0x7f5d90e31
> 000: transfer of 'testingforonedomain.com/IN' from
> 2400:8901::f03c:93ff:fe63:5988#53: Transfer status:
>  success
> 19-Apr-2023 07:44:42.447 xfer-in: info: 0x7f5d90e31
> 000: transfer of 'testingforonedomain.com/IN' from
> 2400:8901::f03c:93ff:fe63:5988#53: Transfer complet
> ed: 3 messages, 14 records, 512 bytes, 0.480 secs (
> 1066 bytes/sec) (serial 2023041905)

Okay so these are logs from your BIND server (on what IP address?)
that successfully did a transfer in from your PowerDNS server at
2400:8901::f03c:93ff:fe63:5988 for the zone
testingforonedomain.com.

> For firewall it is ufw. Ssh rule omit

I am not familiar with ufw myself so I'm on shakly ground here and
might need to ask to see the actual iptables rules, but…

>
> To Action From
> -- ------ ----
>
> 53/udp ALLOW Anywhere
>
> 53/tcp ALLOW Anywhere
>
> 53/udp (v6) ALLOW Anywhere (v6
> )
> 53/tcp (v6) ALLOW Anywhere (v6
> )
>
>
> 123/udp ALLOW OUT Anywhere
>
> 80/tcp ALLOW OUT Anywhere
>
> 443/tcp ALLOW OUT Anywhere
>
> 53/tcp ALLOW OUT Anywhere
>
> 53/udp ALLOW OUT Anywhere
>
> 123/udp (v6) ALLOW OUT Anywhere (v6
> )
> 80/tcp (v6) ALLOW OUT Anywhere (v6
> )
> 443/tcp (v6) ALLOW OUT Anywhere (v6
> )
> 53/tcp (v6) ALLOW OUT Anywhere (v6
> )
> 53/udp (v6) ALLOW OUT Anywhere (v6
> )

…it looks like you're being strict about what traffic an go OUT as
well as what can come IN.

Is the above rule set what you have when you are trying to restrict
things or is it what you consider to be "open"? I see you have rules
allowing anything to come IN to port 53 UDP and TCP so is this the
"open" configuration you are referring to?

If this is the "open" configuration, tell us what exact rules you
are adding to tighten it up.

I don't know if ufw adds the rules that try to do connection
tracking to link together established and related flows. Even if it
does, I don't know if that will be enough to capture all the DNS
traffic. Your BIND server is going to source UDP flows from random
ports, not just port 53.

You need to get your dropped packets to be logged and follow the
logs to see what is happening when a zone transfer fails to work.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting