[Samba] I can't deny zone transfer when using bind as DNS backend

[Marc Muehlfeld]

Am 13.02.2018 um 23:27 schrieb Denis Morejon:
> These are bad news. Cause we need both!
>
> In my network we use zone transfer to transfer our zones to remote DNS
> servers (In other cities). And we receive periodical security
> inspections and DNS zone transfers are target of questions.
>
> However, Thank you for your explanation. We have to decide between dlz
> and internal.
>
>
> How different might be internal from bind?  I mean, is Internal DNS
> flexible enough compared to bind ?

It's difficult to say. It depends on what you want to do with your DNS
server. BIND in general has a lot of more feature and configuration
options. However, not all of them are available through the DLZ module
we use to connect BIND to the Samba databases.


One idea (without knowing what you want to achieve) would be that you
join another Samba DC with DNS to the domain for each remote location.
Then AD replicates the AD DNS partition and you don't need the zone
transfer.

Or you just forward all request on your remote BIND DNS to the AD DNS
servers:
  zone "samdom.example.com" {
          type forward;
          forwarders { 192.168.1.1; 192.168.1.2; };
  };
Of course, this isn't the same as a local "copy" of the zone, but if the
connection to the AD network is down, then the remote clients can't
reach the AD network anyway.


However, these are just some thoughts. If you tell us more about your
environment and what you want to achieve, we maybe find a suitable
solution/workaround.

Regards,
Marc