[Samba] Restrict who can query my DNS

Rowland penny rpenny at samba.org
Thu Aug 22 18:09:18 UTC 2019


On 22/08/2019 19:04, Jeremy Allison wrote:
> On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via samba wrote:
>> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote:
>>> Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain?
>>>
>>> I have a domain controller with SAMBA4 and as DNS backend I use BIND9.
>>>
>>> I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it
>>> /etc/bind/named.conf.options
>>> ...
>>> options {
>>> allow-query {
>>> localhost;
>>> };
>>> ....
>>> }
>>>
>>> In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this?
>>>
>>>
>> OK, I give in, why do you want to do something, that is, on the face of it,
>> akin to unplugging your DC from the network ?
>>
>> Your domain computers must be able to query the dns server on the DC.
> On a technical level at least, the source3 smbd server (and the
> deprecated source4 ntvfs server) have the capability of using
> the "hosts allow" and "hosts deny" lists set in the smb.conf,
> but these lists don't seem to be being consulted for access
> to the samba binary AD-DC services.
>
> Rowland, do you think it's worthwhile fixing the capability
> to restrict AD-DC services in this way ?

Hi Jeremy, probably, but this still wouldn't do what the OP wants, as I 
said in my earlier reply, the easiest way to get what the OP wants is to 
just unplug the DC from the domain ;-)

Rowland




More information about the samba mailing list