[Samba] Restrict who can query my DNS

[Leonardo Yanes Batista]

Thank you very much for the promptness of your response.

blocking port 53 I don't think it's a good idea, at least in my situation, since for example I would have to open it in the future to be able to add new PCs to the domain.

I don't know if the samba configuration files, overwrite within the zone configuration of my domain, who can query my DNS (I suppose it does), but I can't find where I could modify it.


----- Original Message -----
From: "Mauricio Tavares" <raubvogel at gmail.com>
To: "Leonardo Yanes Batista" <informatico at alficsa.co.cu>
Cc: "samba" <samba at lists.samba.org>
Sent: Thursday, August 22, 2019 1:39:24 PM
Subject: Re: [Samba] Restrict who can query my DNS

On Thu, Aug 22, 2019 at 1:30 PM Leonardo Yanes Batista via samba
<samba at lists.samba.org> wrote:
>
> Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain?
>
> I have a domain controller with SAMBA4 and as DNS backend I use BIND9.
>
> I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it
> /etc/bind/named.conf.options
> ...
> options {
> allow-query {
> localhost;
> };
> ....
> }
>
> In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this?
>
      The lazy solution is to block port 53 TCP/UDP. Besides that,
could you have somewhere down your config files that is overruling the
allow-query{}? I also wonder if you add the IP of said server, as
IP/32; in the allow-query{}; list it will make bind happy. You know,
just in case it is being paperclip helpful.

>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba