[Samba] Restrict who can query my DNS

L.P.H. van Belle belle at bazuin.nl
Fri Aug 23 06:43:04 UTC 2019 

Hai, 

It might help, knowing why the TS is asking this.
Is this wise, i dont think so. 
So more info to better understand this, is handy. 

Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 22 augustus 2019 20:09
> Aan: Jeremy Allison
> CC: sambalist
> Onderwerp: Re: [Samba] Restrict who can query my DNS
> 
> On 22/08/2019 19:04, Jeremy Allison wrote:
> > On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via 
> samba wrote:
> >> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote:
> >>> Hello everyone, could you help me find a solution to 
> restrict who can check my DNS within my domain?
> >>>
> >>> I have a domain controller with SAMBA4 and as DNS backend 
> I use BIND9.
> >>>
> >>> I would like to be able to define who are the IPs that I 
> want to allow to consult my DNS. I tried the following but I 
> failed to get it
> >>> /etc/bind/named.conf.options
> >>> ...
> >>> options {
> >>> allow-query {
> >>> localhost;
> >>> };
> >>> ....
> >>> }
> >>>
> >>> In essence, this should allow the domain controller 
> itself to be the only one that has permission to query 
> itself, but when I try to query from a PC in my domain, the 
> DNS keeps responding to my queries. How could I avoid this?
> >>>
> >>>
> >> OK, I give in, why do you want to do something, that is, 
> on the face of it,
> >> akin to unplugging your DC from the network ?
> >>
> >> Your domain computers must be able to query the dns server 
> on the DC.
> > On a technical level at least, the source3 smbd server (and the
> > deprecated source4 ntvfs server) have the capability of using
> > the "hosts allow" and "hosts deny" lists set in the smb.conf,
> > but these lists don't seem to be being consulted for access
> > to the samba binary AD-DC services.
> >
> > Rowland, do you think it's worthwhile fixing the capability
> > to restrict AD-DC services in this way ?
> 
> Hi Jeremy, probably, but this still wouldn't do what the OP 
> wants, as I 
> said in my earlier reply, the easiest way to get what the OP 
> wants is to 
> just unplug the DC from the domain ;-)
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list