[Samba] Limit Samba4 AXFR zone info by bind view

Kelvin Yip kelvin at icshk.com
Thu Nov 27 22:24:49 MST 2014 

Hi,

Thanks for your suggestion.
I have tried your suggestion with no luck, even with I disable allow-query from internal network.

Best,
Kelvin Yip

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of support at remsnet.de
Sent: Friday, November 28, 2014 12:49 PM
To: Kelvin Yip
Cc: samba at lists.samba.org
Subject: Re: [Samba] Limit Samba4 AXFR zone info by bind view

Dear Kevin,


as per now , the "dlz "AD DNS Zone" {"  dont know yet with bind 9.9/ 9.10 the allow-query,   allow-transfer...
the only way been to solve it at global config with "  allow-query  "

For that we may need to open an Featger request at ISC Bind to solve that , and more simple : someone code an patch and deliver it to isc bind Team.

Never list complete (local) networks  - as it result in NO restrictions .
localhost for transfer been irrelevant for samba4 dlz axfr to external  -:)

correct your global allow-query, allow-transfer :

         allow-query     { internal_network; allow_hidden_root_querys,!external_network; };
         allow-transfer  { can_transfer; };


 // only list here hosts-ip´s, no networks. 
 acl "can_transfer" {
          1.2.3.4/32;        
 };

 // only list here hosts-ip´s from outside provider  acl "allow_hidden_root_querys" {
          10.11.12.13/32;        
 };





--
Mit freundlichen Grüßen / Best Regards

Horst Venzke ; PGP NET : 1024G/082F2E6D ;  http://www.remsnet.de

Legal Notice: This transmittal and/or attachments may be privileged or confidential. It is intended solely for the addressee named above. Any review, dissemination, or copying is strictly prohibited. If you received this transmittal in error, please notify us immediately by reply and immediately delete this message and all its attachments. Thank you.


> Gesendet: Freitag, 28. November 2014 um 04:59 Uhr
> Von: "Kelvin Yip" <kelvin at icshk.com>
> An: samba at lists.samba.org
> Betreff: [Samba] Limit Samba4 AXFR zone info by bind view
>
> Dear all,
> 
>  
> 
> Have anyone have example configuration of bind view to limit AXFR zone 
> info as state in the following link ?
> 
> https://bugzilla.samba.org/show_bug.cgi?id=9634
> 
>  
> 
> Someone mentioned it is possible using bind view. I have tried bind 
> view with no luck.
> 
>  
> 
> My current configuration is:
> 
>  
> 
> options {
> 
>         version "MyDNS V8.8.8.8";
> 
>         forwarders {
> 
>                 192.168.188.2;
> 
>         };
> 
>         listen-on port 53 { 127.0.0.1; 192.168.188.66; };
> 
>         listen-on-v6 port 53 { ::1; };
> 
>         directory       "/var/named";
> 
>         tkey-gssapi-keytab      "/usr/local/samba/private/dns.keytab";
> 
>         dump-file       "/var/named/data/cache_dump.db";
> 
>         statistics-file "/var/named/data/named_stats.txt";
> 
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
> 
>         allow-query     { localhost; 192.168.188.0/24; };
> 
>         allow-transfer  { localhost; };
> 
>         recursion yes;
> 
>  
> 
>         dnssec-enable yes;
> 
>         dnssec-validation yes;
> 
>         dnssec-lookaside auto;
> 
>  
> 
>         /* Path to ISC DLV key */
> 
>         bindkeys-file "/etc/named.iscdlv.key";
> 
>  
> 
>         managed-keys-directory "/var/named/dynamic";
> 
> };
> 
>  
> 
> acl "internal_network" {
> 
>         127/8;
> 
>         192.168.188.0/24;
> 
> };
> 
>  
> 
> acl "external_network" {
> 
>         !192.168.188.0/24;
> 
> };
> 
>  
> 
> view "internal" {
> 
>         match-clients { "internal_network"; }; // our network
> 
>         allow-query { internal_network; };
> 
>         allow-transfer  { localhost; };
> 
>         allow-recursion { internal_network; };
> 
>         match-recursive-only no;
> 
>         //recursion yes;
> 
>         zone "." IN {
> 
>                 type hint;
> 
>                 file "named.ca";
> 
>         };
> 
>         include "/etc/named.rfc1912.zones";
> 
>         include "/usr/local/samba/private/named.conf";
> 
> };
> 
>  
> 
> view "external" {
> 
>         match-clients { "external_network"; }; // public network
> 
>         allow-query { any; };
> 
>         allow-transfer  { localhost; };
> 
>         allow-recursion { none; };
> 
>         match-recursive-only no;
> 
>         //recursion no;
> 
>         zone "." IN {
> 
>                 type hint;
> 
>                 file "named.ca";
> 
>         };
> 
>         include "/etc/named.rfc1912.zones";
> 
>         include "/usr/local/samba/private/named.conf";
> 
> };
> 
>  
> 
>  
> 
> logging {
> 
>         channel default_debug {
> 
>                 file "data/named.run";
> 
>                 severity dynamic;
> 
>         };
> 
> };
> 
>  
> 
> #zone "." IN {
> 
> #       type hint;
> 
> #       file "named.ca";
> 
> #};
> 
>  
> 
> #include "/etc/named.rfc1912.zones";
> 
> include "/etc/named.root.key";
> 
> include "/usr/local/samba/private/named.conf";
> 
>  
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list