[Samba] Restrict who can query my DNS
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 23 09:07:50 UTC 2019
In bind:
Allow-CIDR { ... Range/XX }
Deny-CIDR { ... Range/XX }
That stops use of DNS
And/or firewalling it,
Deny CIDR first for full server.
Allow CIDR for full server.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: vrijdag 23 augustus 2019 10:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Restrict who can query my DNS
>
> On 23/08/2019 09:27, L.P.H. van Belle via samba wrote:
> >> Morning Louis, Unless I totally misread this, the OP only
> >> wants the DC
> >> to query itself, no clients.
> >>
> >> I could understand it if they only wanted domain members to
> >> query the DC.
> >>
> >> Stop and think about this, a client wants to know where
> >> another domain
> >> member is, or worse still, where the DC is, who does it
> ask ? It asks
> >> its nameserver, which is the DC, but the DC rejects its
> >> request, so what
> >> does it do ?
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> > Hmm, well, then its simple. Setup the pc's with static ips.
> > Put the CIDR range they use in Bind configs or firewall.
> >
> > Wise... No, but the TS will most probley have a good reason
> for this setup.
> > That is the part what i want to know from him, Why o Why?
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> Not so simple as that, what about the ldap and kerberos
> records etc, how
> will the clients find those, if the dns server keeps rejecting their
> queries ?
What i think he wants todo.
Regular network.
AD-DC <=> Domain SERVER members ( allowed )
AD-DC <=> Domain JOINED pc's (members) ( allowed )
AD-DC <=> GUEST pc's/computers/phones etc. ( denied )
So you need 3 CIDR ranges.
Domain Server members
Domain computer members
Other.
Allow the first 2 deny the last, its not that hard todo.
And the "why" should tell us if he only needs DNS restrictions of full server restrictions.
We will see.
>
> I cannot think of any valid reason for only the DC being able
> to query DNS. As I said it is akin to unplugging the ethernet cable.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list