[Samba] Restrict who can query my DNS

Rowland penny rpenny at samba.org
Fri Aug 23 07:36:24 UTC 2019

On 23/08/2019 07:43, L.P.H. van Belle via samba wrote:
> Hai,
> It might help, knowing why the TS is asking this.
> Is this wise, i dont think so.
> So more info to better understand this, is handy.
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland penny via samba
>> Verzonden: donderdag 22 augustus 2019 20:09
>> Aan: Jeremy Allison
>> CC: sambalist
>> Onderwerp: Re: [Samba] Restrict who can query my DNS
>> On 22/08/2019 19:04, Jeremy Allison wrote:
>>> On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via
>> samba wrote:
>>>> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote:
>>>>> Hello everyone, could you help me find a solution to
>> restrict who can check my DNS within my domain?
>>>>> I have a domain controller with SAMBA4 and as DNS backend
>> I use BIND9.
>>>>> I would like to be able to define who are the IPs that I
>> want to allow to consult my DNS. I tried the following but I
>> failed to get it
>>>>> /etc/bind/named.conf.options
>>>>> ...
>>>>> options {
>>>>> allow-query {
>>>>> localhost;
>>>>> };
>>>>> ....
>>>>> }
>>>>> In essence, this should allow the domain controller
>> itself to be the only one that has permission to query
>> itself, but when I try to query from a PC in my domain, the
>> DNS keeps responding to my queries. How could I avoid this?
>>>> OK, I give in, why do you want to do something, that is,
>> on the face of it,
>>>> akin to unplugging your DC from the network ?
>>>> Your domain computers must be able to query the dns server
>> on the DC.
>>> On a technical level at least, the source3 smbd server (and the
>>> deprecated source4 ntvfs server) have the capability of using
>>> the "hosts allow" and "hosts deny" lists set in the smb.conf,
>>> but these lists don't seem to be being consulted for access
>>> to the samba binary AD-DC services.
>>> Rowland, do you think it's worthwhile fixing the capability
>>> to restrict AD-DC services in this way ?
>> Hi Jeremy, probably, but this still wouldn't do what the OP
>> wants, as I
>> said in my earlier reply, the easiest way to get what the OP
>> wants is to
>> just unplug the DC from the domain ;-)
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
Morning Louis, Unless I totally misread this, the OP only wants the DC 
to query itself, no clients.

I could understand it if they only wanted domain members to query the DC.

Stop and think about this, a client wants to know where another domain 
member is, or worse still, where the DC is, who does it ask ? It asks 
its nameserver, which is the DC, but the DC rejects its request, so what 
does it do ?


More information about the samba mailing list