[bitfolk] Re: question on bind9 listening.

Hi Badli, On Sun, Apr 23, 2023 at 02:30:36AM +0000, Badli Al Rashid via BitFolk Users wrote: This isn't the full log. This is just the log line saying that the transfer is over. Yes it did fail otherwise it would be more than 0 records. But the reason for its failure is in another log line or lines. DNS zone transfers are always pull-based, i.e. they are initiated by the secondary server. The other lines will also be saying which IP address your BIND server chose as its source address for the transfer. That might not be the address you think it should be, if your BIND host has multiple IP addresses. Okay so these are logs from your BIND server (on what IP address?) that successfully did a transfer in from your PowerDNS server at 2400:8901::f03c:93ff:fe63:5988 for the zone testingforonedomain.com. I am not familiar with ufw myself so I'm on shakly ground here and might need to ask to see the actual iptables rules, but… …it looks like you're being strict about what traffic an go OUT as well as what can come IN. Is the above rule set what you have when you are trying to restrict things or is it what you consider to be "open"? I see you have rules allowing anything to come IN to port 53 UDP and TCP so is this the "open" configuration you are referring to? If this is the "open" configuration, tell us what exact rules you are adding to tighten it up. I don't know if ufw adds the rules that try to do connection tracking to link together established and related flows. Even if it does, I don't know if that will be enough to capture all the DNS traffic. Your BIND server is going to source UDP flows from random ports, not just port 53. You need to get your dropped packets to be logged and follow the logs to see what is happening when a zone transfer fails to work. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting