On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via samba wrote:> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote: > > Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain? > > > > I have a domain controller with SAMBA4 and as DNS backend I use BIND9. > > > > I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it > > /etc/bind/named.conf.options > > ... > > options { > > allow-query { > > localhost; > > }; > > .... > > } > > > > In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this? > > > > > OK, I give in, why do you want to do something, that is, on the face of it, > akin to unplugging your DC from the network ? > > Your domain computers must be able to query the dns server on the DC.On a technical level at least, the source3 smbd server (and the deprecated source4 ntvfs server) have the capability of using the "hosts allow" and "hosts deny" lists set in the smb.conf, but these lists don't seem to be being consulted for access to the samba binary AD-DC services. Rowland, do you think it's worthwhile fixing the capability to restrict AD-DC services in this way ?
On 22/08/2019 19:04, Jeremy Allison wrote:> On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via samba wrote: >> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote: >>> Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain? >>> >>> I have a domain controller with SAMBA4 and as DNS backend I use BIND9. >>> >>> I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it >>> /etc/bind/named.conf.options >>> ... >>> options { >>> allow-query { >>> localhost; >>> }; >>> .... >>> } >>> >>> In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this? >>> >>> >> OK, I give in, why do you want to do something, that is, on the face of it, >> akin to unplugging your DC from the network ? >> >> Your domain computers must be able to query the dns server on the DC. > On a technical level at least, the source3 smbd server (and the > deprecated source4 ntvfs server) have the capability of using > the "hosts allow" and "hosts deny" lists set in the smb.conf, > but these lists don't seem to be being consulted for access > to the samba binary AD-DC services. > > Rowland, do you think it's worthwhile fixing the capability > to restrict AD-DC services in this way ?Hi Jeremy, probably, but this still wouldn't do what the OP wants, as I said in my earlier reply, the easiest way to get what the OP wants is to just unplug the DC from the domain ;-) Rowland
Hai, It might help, knowing why the TS is asking this. Is this wise, i dont think so. So more info to better understand this, is handy. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 22 augustus 2019 20:09 > Aan: Jeremy Allison > CC: sambalist > Onderwerp: Re: [Samba] Restrict who can query my DNS > > On 22/08/2019 19:04, Jeremy Allison wrote: > > On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via > samba wrote: > >> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote: > >>> Hello everyone, could you help me find a solution to > restrict who can check my DNS within my domain? > >>> > >>> I have a domain controller with SAMBA4 and as DNS backend > I use BIND9. > >>> > >>> I would like to be able to define who are the IPs that I > want to allow to consult my DNS. I tried the following but I > failed to get it > >>> /etc/bind/named.conf.options > >>> ... > >>> options { > >>> allow-query { > >>> localhost; > >>> }; > >>> .... > >>> } > >>> > >>> In essence, this should allow the domain controller > itself to be the only one that has permission to query > itself, but when I try to query from a PC in my domain, the > DNS keeps responding to my queries. How could I avoid this? > >>> > >>> > >> OK, I give in, why do you want to do something, that is, > on the face of it, > >> akin to unplugging your DC from the network ? > >> > >> Your domain computers must be able to query the dns server > on the DC. > > On a technical level at least, the source3 smbd server (and the > > deprecated source4 ntvfs server) have the capability of using > > the "hosts allow" and "hosts deny" lists set in the smb.conf, > > but these lists don't seem to be being consulted for access > > to the samba binary AD-DC services. > > > > Rowland, do you think it's worthwhile fixing the capability > > to restrict AD-DC services in this way ? > > Hi Jeremy, probably, but this still wouldn't do what the OP > wants, as I > said in my earlier reply, the easiest way to get what the OP > wants is to > just unplug the DC from the domain ;-) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 23/08/2019 07:43, L.P.H. van Belle via samba wrote:> Hai, > > It might help, knowing why the TS is asking this. > Is this wise, i dont think so. > So more info to better understand this, is handy. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: donderdag 22 augustus 2019 20:09 >> Aan: Jeremy Allison >> CC: sambalist >> Onderwerp: Re: [Samba] Restrict who can query my DNS >> >> On 22/08/2019 19:04, Jeremy Allison wrote: >>> On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via >> samba wrote: >>>> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote: >>>>> Hello everyone, could you help me find a solution to >> restrict who can check my DNS within my domain? >>>>> I have a domain controller with SAMBA4 and as DNS backend >> I use BIND9. >>>>> I would like to be able to define who are the IPs that I >> want to allow to consult my DNS. I tried the following but I >> failed to get it >>>>> /etc/bind/named.conf.options >>>>> ... >>>>> options { >>>>> allow-query { >>>>> localhost; >>>>> }; >>>>> .... >>>>> } >>>>> >>>>> In essence, this should allow the domain controller >> itself to be the only one that has permission to query >> itself, but when I try to query from a PC in my domain, the >> DNS keeps responding to my queries. How could I avoid this? >>>>> >>>> OK, I give in, why do you want to do something, that is, >> on the face of it, >>>> akin to unplugging your DC from the network ? >>>> >>>> Your domain computers must be able to query the dns server >> on the DC. >>> On a technical level at least, the source3 smbd server (and the >>> deprecated source4 ntvfs server) have the capability of using >>> the "hosts allow" and "hosts deny" lists set in the smb.conf, >>> but these lists don't seem to be being consulted for access >>> to the samba binary AD-DC services. >>> >>> Rowland, do you think it's worthwhile fixing the capability >>> to restrict AD-DC services in this way ? >> Hi Jeremy, probably, but this still wouldn't do what the OP >> wants, as I >> said in my earlier reply, the easiest way to get what the OP >> wants is to >> just unplug the DC from the domain ;-) >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >Morning Louis, Unless I totally misread this, the OP only wants the DC to query itself, no clients. I could understand it if they only wanted domain members to query the DC. Stop and think about this, a client wants to know where another domain member is, or worse still, where the DC is, who does it ask ? It asks its nameserver, which is the DC, but the DC rejects its request, so what does it do ? Rowland
> > > Morning Louis, Unless I totally misread this, the OP only > wants the DC > to query itself, no clients. > > I could understand it if they only wanted domain members to > query the DC. > > Stop and think about this, a client wants to know where > another domain > member is, or worse still, where the DC is, who does it ask ? It asks > its nameserver, which is the DC, but the DC rejects its > request, so what > does it do ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Hmm, well, then its simple. Setup the pc's with static ips. Put the CIDR range they use in Bind configs or firewall. Wise... No, but the TS will most probley have a good reason for this setup. That is the part what i want to know from him, Why o Why? Greetz, Louis