[Samba] I can't deny zone transfer when using bind as DNS backend

L.P.H. van Belle belle at bazuin.nl
Wed Feb 14 15:51:37 UTC 2018

In addition to Marc comment. 

A "master/slave" setup with ADDC samba+bind works also fine. 
But only ADDC-master => NON-ADDC-slave, at least that what ive tested and running.
My proxy servers are slaves. ( with a cacheing and forwarding setup )
And to protect your zone transfers.. Firewall whats needed ... 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marc 
> Muehlfeld via samba
> Verzonden: woensdag 14 februari 2018 16:15
> Aan: Denis Morejon; samba at lists.samba.org
> Onderwerp: Re: [Samba] I can't deny zone transfer when using 
> bind as DNS backend
> Am 13.02.2018 um 23:27 schrieb Denis Morejon:
> > These are bad news. Cause we need both!
> >
> > In my network we use zone transfer to transfer our zones to 
> remote DNS
> > servers (In other cities). And we receive periodical security
> > inspections and DNS zone transfers are target of questions.
> >
> > However, Thank you for your explanation. We have to decide 
> between dlz
> > and internal.
> >
> >
> > How different might be internal from bind?  I mean, is Internal DNS
> > flexible enough compared to bind ?
> It's difficult to say. It depends on what you want to do with your DNS
> server. BIND in general has a lot of more feature and configuration
> options. However, not all of them are available through the DLZ module
> we use to connect BIND to the Samba databases.
> One idea (without knowing what you want to achieve) would be that you
> join another Samba DC with DNS to the domain for each remote location.
> Then AD replicates the AD DNS partition and you don't need the zone
> transfer.
> Or you just forward all request on your remote BIND DNS to the AD DNS
> servers:
>   zone "samdom.example.com" {
>           type forward;
>           forwarders {;; };
>   };
> Of course, this isn't the same as a local "copy" of the zone, 
> but if the
> connection to the AD network is down, then the remote clients can't
> reach the AD network anyway.
> However, these are just some thoughts. If you tell us more about your
> environment and what you want to achieve, we maybe find a suitable
> solution/workaround.
> Regards,
> Marc
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list