[Samba] I can't deny zone transfer when using bind as DNS backend
Andrew Bartlett
abartlet at samba.org
Tue Feb 13 21:37:14 UTC 2018
On Tue, 2018-02-13 at 16:30 -0500, Denis Morejon via samba wrote:
> Well, I'm using Samba 4.7.4 DC and bind 9.10.3 as DNS back end. I have a
> zone called mydomain.cu into Samba where are placed our workstations and
> servers records. This is my configuration.
>
> I want to prevent zone transfer attacks to this zone by restricting the
> hosts that could do it. I tried the allow-transfer {"none";}; in the
> named.conf.options file but It doesn't work.
>
> How can I prevent zone transfer in this type of zone ?
>
Not currently as far as we can tell. Samba just says 'allow anything'
to the API that is meant to be controlling this, but previous attempts
to lock that down seemed to imply that BIND was ignoring it anyway.
The next step is to drop support for enumerating the zone and hope that
doesn't bust anything.
Sorry,
Andrew Bartlett
>
>
>
>
> El 13/02/18 a las 16:14, Rowland Penny via samba escribió:
> > On Tue, 13 Feb 2018 15:50:11 -0500
> > Denis Morejon via samba <samba at lists.samba.org> wrote:
> >
> > > It doesn't work for me. I put allow-transfer {"none";}; in
> > > named.conf.options. Reload the bind9 service. but I can not avoid
> > > the zone transfer to the Active Directory Integrated Zone !
> > >
> > > I use Samba 4.7.4 (From Source) and BIND 9.10.3-P4-Debian (Debian 9)
> > >
> > > This configuration works well on standard zones but not on DLZ
> > > (Samba) Zones.
> >
> > I think you are going to have to explain what you are trying to do, it
> > sounds like you are trying to stop bind using the dns info in AD.
> >
> > Rowland
> >
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list