[Samba] Restrict who can query my DNS

Jeremy Allison jra at samba.org
Thu Aug 22 18:04:24 UTC 2019


On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via samba wrote:
> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote:
> > Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain?
> > 
> > I have a domain controller with SAMBA4 and as DNS backend I use BIND9.
> > 
> > I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it
> > /etc/bind/named.conf.options
> > ...
> > options {
> > allow-query {
> > localhost;
> > };
> > ....
> > }
> > 
> > In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this?
> > 
> > 
> OK, I give in, why do you want to do something, that is, on the face of it,
> akin to unplugging your DC from the network ?
> 
> Your domain computers must be able to query the dns server on the DC.

On a technical level at least, the source3 smbd server (and the
deprecated source4 ntvfs server) have the capability of using
the "hosts allow" and "hosts deny" lists set in the smb.conf,
but these lists don't seem to be being consulted for access
to the samba binary AD-DC services.

Rowland, do you think it's worthwhile fixing the capability
to restrict AD-DC services in this way ?



More information about the samba mailing list