[Samba] Restrict who can query my DNS

L.P.H. van Belle belle at bazuin.nl
Fri Aug 23 09:07:50 UTC 2019


In bind: 
Allow-CIDR { ... Range/XX } 
Deny-CIDR { ... Range/XX } 
That stops use of DNS

And/or firewalling it, 

Deny CIDR first for full server.
Allow CIDR for full server.




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 23 augustus 2019 10:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Restrict who can query my DNS
> 
> On 23/08/2019 09:27, L.P.H. van Belle via samba wrote:
> >> Morning Louis, Unless I totally misread this, the OP only
> >> wants the DC
> >> to query itself, no clients.
> >>
> >> I could understand it if they only wanted domain members to
> >> query the DC.
> >>
> >> Stop and think about this, a client wants to know where
> >> another domain
> >> member is, or worse still, where the DC is, who does it 
> ask ? It asks
> >> its nameserver, which is the DC, but the DC rejects its
> >> request, so what
> >> does it do ?
> >>
> >> Rowland
> >>
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> > Hmm, well, then its simple. Setup the pc's with static ips.
> > Put the CIDR range they use in Bind configs or firewall.
> >
> > Wise... No, but the TS will most probley have a good reason 
> for this setup.
> > That is the part what i want to know from him, Why o Why?
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> Not so simple as that, what about the ldap and kerberos 
> records etc, how 
> will the clients find those, if the dns server keeps rejecting their 
> queries ?

What i think he wants todo. 

Regular network. 
AD-DC  <=> Domain SERVER members ( allowed ) 
AD-DC  <=> Domain JOINED pc's (members) ( allowed ) 
AD-DC <=> GUEST pc's/computers/phones etc. ( denied )

So you need 3 CIDR ranges. 
Domain Server members
Domain computer members
Other. 

Allow the first 2 deny the last, its not that hard todo. 
And the "why" should tell us if he only needs DNS restrictions of full server restrictions. 
We will see. 

> 
> I cannot think of any valid reason for only the DC being able 
> to query DNS. As I said it is akin to unplugging the ethernet cable.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 





More information about the samba mailing list