[Samba] Restrict who can query my DNS
Mauricio Tavares
raubvogel at gmail.com
Thu Aug 22 18:08:47 UTC 2019
On Thu, Aug 22, 2019 at 1:52 PM Leonardo Yanes Batista
<informatico at alficsa.co.cu> wrote:
>
> Thank you very much for the promptness of your response.
>
> blocking port 53 I don't think it's a good idea, at least in my situation, since for example I would have to open it in the future to be able to add new PCs to the domain.
>
I understand. I was going from the original requirement that
only the server itself should be able to query its DNS.
> I don't know if the samba configuration files, overwrite within the zone configuration of my domain, who can query my DNS (I suppose it does), but I can't find where I could modify it.
>
And that is the main question IMHO. You can also require
authentication to query the dns server.
Or, if you are concerned not about those hosts in your domain
accessing this dns but what they can query, you could use views
(https://kb.isc.org/docs/aa-00851).
>
> ----- Original Message -----
> From: "Mauricio Tavares" <raubvogel at gmail.com>
> To: "Leonardo Yanes Batista" <informatico at alficsa.co.cu>
> Cc: "samba" <samba at lists.samba.org>
> Sent: Thursday, August 22, 2019 1:39:24 PM
> Subject: Re: [Samba] Restrict who can query my DNS
>
> On Thu, Aug 22, 2019 at 1:30 PM Leonardo Yanes Batista via samba
> <samba at lists.samba.org> wrote:
> >
> > Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain?
> >
> > I have a domain controller with SAMBA4 and as DNS backend I use BIND9.
> >
> > I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it
> > /etc/bind/named.conf.options
> > ...
> > options {
> > allow-query {
> > localhost;
> > };
> > ....
> > }
> >
> > In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this?
> >
> The lazy solution is to block port 53 TCP/UDP. Besides that,
> could you have somewhere down your config files that is overruling the
> allow-query{}? I also wonder if you add the IP of said server, as
> IP/32; in the allow-query{}; list it will make bind happy. You know,
> just in case it is being paperclip helpful.
>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list