[Samba] I can't deny zone transfer when using bind as DNS backend
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 14 15:51:37 UTC 2018
In addition to Marc comment.
A "master/slave" setup with ADDC samba+bind works also fine.
But only ADDC-master => NON-ADDC-slave, at least that what ive tested and running.
My proxy servers are slaves. ( with a cacheing and forwarding setup )
And to protect your zone transfers.. Firewall whats needed ...
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marc
> Muehlfeld via samba
> Verzonden: woensdag 14 februari 2018 16:15
> Aan: Denis Morejon; samba at lists.samba.org
> Onderwerp: Re: [Samba] I can't deny zone transfer when using
> bind as DNS backend
>
> Am 13.02.2018 um 23:27 schrieb Denis Morejon:
> > These are bad news. Cause we need both!
> >
> > In my network we use zone transfer to transfer our zones to
> remote DNS
> > servers (In other cities). And we receive periodical security
> > inspections and DNS zone transfers are target of questions.
> >
> > However, Thank you for your explanation. We have to decide
> between dlz
> > and internal.
> >
> >
> > How different might be internal from bind? I mean, is Internal DNS
> > flexible enough compared to bind ?
>
> It's difficult to say. It depends on what you want to do with your DNS
> server. BIND in general has a lot of more feature and configuration
> options. However, not all of them are available through the DLZ module
> we use to connect BIND to the Samba databases.
>
>
> One idea (without knowing what you want to achieve) would be that you
> join another Samba DC with DNS to the domain for each remote location.
> Then AD replicates the AD DNS partition and you don't need the zone
> transfer.
>
> Or you just forward all request on your remote BIND DNS to the AD DNS
> servers:
> zone "samdom.example.com" {
> type forward;
> forwarders { 192.168.1.1; 192.168.1.2; };
> };
> Of course, this isn't the same as a local "copy" of the zone,
> but if the
> connection to the AD network is down, then the remote clients can't
> reach the AD network anyway.
>
>
> However, these are just some thoughts. If you tell us more about your
> environment and what you want to achieve, we maybe find a suitable
> solution/workaround.
>
> Regards,
> Marc
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list