[Samba] DNS amplification attacks

Marc Muehlfeld samba at marc-muehlfeld.de
Tue Feb 25 12:02:18 MST 2014

Hello Bruno,

Am 25.02.2014 19:31, schrieb Bruno Vane:
> How can I configure samba4 to be protected against DNS amplification
> attacks? Is there a way to set the network I want it to be recursive,
> like in bind9?

Have you tried 'allow-recursion' in BIND? If this doesn't work, I guess 
it's not supported (yet) in combination with the DLZ module.

> My samba4 is receiving attacks and googling I found this:
> http://dnsamplificationattacks.blogspot.com.br/2014/02/domain-gerdar3ru.html

But do you really want your DC listening on your internet NIC and 
provide DNS and other Samba services to internet users?

If not, you can tell Samba to listen only on the other interfaces. See

If your DNS should be accessable from the internet and you want to 
manage the zones via AD, then I would recommend that you place an 
additional machine with BIND in your DMZ, that is forwarding the 
requests, you want to allow, to your DC.


More information about the samba mailing list