[Samba] DNS zone transfer
Andrew Bartlett
abartlet at samba.org
Wed Aug 31 19:14:30 UTC 2016
On Tue, 2016-08-30 at 16:31 +0200, mathias dufresne via samba wrote:
> Sorry to ask, here Bind is configured to not allow zone transfer
> except for
> some IPs. I did tried to transfer AD zone from a machine which is not
> allowed to transfer zones according to Bind configuration file, and
> that
> machine was able to transfer what it should not...
>
> Is there other points where Bind configuration file are useless? Is
> documented somewhere? This to avoid relying on Bind configuration
> files
> when it is ignored...
This looks to be an unexpected side-effect of the fact that access
control is handed to Samba's DLZ module, which is needed to allow Samba
to control who can dynamically update records.
Filing a bug would be most reasonable. Hopefully Samba's DNS server is
never exposed to the internet, it wasn't ever designed with that level
of protection.
Andrew Bartlett
> 2016-08-25 19:19 GMT+02:00 Marc Muehlfeld via samba
> <samba at lists.samba.org>:
>
> >
> > Hi Carlos,
> >
> > Am 25.08.2016 um 18:48 schrieb Carlos A. P. Cunha via samba:
> > >
> > > Own Samba 4.4.5 with BIND 9.9.7, and realized (in older Samba
> > > versions
> > > also) that the DNS zone transfer works when anyone makes the
> > > request,
> > > the update is correct only DC can.
> > > This behavior seems "wrong", right?
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=9634
> >
> > The internal DNS disallows zone transfers and BIND_DLZ permits.
> > That's a
> > bug of course and an inconsistent behaviour. However, it's still
> > unfixed.
> >
> >
> > Regards,
> > Marc
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list