[Samba] Restrict who can query my DNS

Rowland penny rpenny at samba.org
Fri Aug 23 08:40:22 UTC 2019


On 23/08/2019 09:27, L.P.H. van Belle via samba wrote:
>> Morning Louis, Unless I totally misread this, the OP only
>> wants the DC
>> to query itself, no clients.
>>
>> I could understand it if they only wanted domain members to
>> query the DC.
>>
>> Stop and think about this, a client wants to know where
>> another domain
>> member is, or worse still, where the DC is, who does it ask ? It asks
>> its nameserver, which is the DC, but the DC rejects its
>> request, so what
>> does it do ?
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> Hmm, well, then its simple. Setup the pc's with static ips.
> Put the CIDR range they use in Bind configs or firewall.
>
> Wise... No, but the TS will most probley have a good reason for this setup.
> That is the part what i want to know from him, Why o Why?
>
>
> Greetz,
>
> Louis
>
>
Not so simple as that, what about the ldap and kerberos records etc, how 
will the clients find those, if the dns server keeps rejecting their 
queries ?

I cannot think of any valid reason for only the DC being able to query 
DNS. As I said it is akin to unplugging the ethernet cable.

Rowland





More information about the samba mailing list