samba - Feb 2018 - I can't deny zone transfer when using bind as DNS backend

Hi:

How can I either deny zone transfer or restrict it to some DNS servers 
when using DLZ ?

Something like this. 


options {
   ....
   // ban everyone by default
   allow-transfer {"none";};
};
...
zone "example.com" in{
  ....
  // explicity allow the slave(s) in each zone
  allow-transfer {192.168.0.3;};
};


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Denis Morejon via samba
> Verzonden: dinsdag 13 februari 2018 14:44
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] I can't deny zone transfer when using bind 
> as DNS backend
> 
> Hi:
> 
> How can I either deny zone transfer or restrict it to some 
> DNS servers 
> when using DLZ ?
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

It doesn't work for me. I put allow-transfer {"none";}; in 
named.conf.options. Reload the bind9 service.  but I can not avoid the 
zone transfer to the Active Directory Integrated Zone !

I use Samba 4.7.4 (From Source) and BIND 9.10.3-P4-Debian (Debian 9)

This configuration works well on standard zones but not on DLZ (Samba) 
Zones.



El 13/02/18 a las 08:52, L.P.H. van Belle via samba
escribió:
> Something like this.
>
>
> options {
>     ....
>     // ban everyone by default
>     allow-transfer {"none";};
> };
> ...
> zone "example.com" in{
>    ....
>    // explicity allow the slave(s) in each zone
>    allow-transfer {192.168.0.3;};
> };
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Denis Morejon via samba
>> Verzonden: dinsdag 13 februari 2018 14:44
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] I can't deny zone transfer when using bind
>> as DNS backend
>>
>> Hi:
>>
>> How can I either deny zone transfer or restrict it to some
>> DNS servers
>> when using DLZ ?
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

Hi Denis,

Am 13.02.2018 um 14:44 schrieb Denis Morejon via samba:
> How can I either deny zone transfer or restrict it to some DNS servers
> when using DLZ ?
You can use the internal DNS instead of BIND. ;-)

https://bugzilla.samba.org/show_bug.cgi?id=9634

Summary: If you use BIND9_DLZ, zone transfers are always allowed. If you
use INTERNAL_DNS, they are denied. However, in both cases it's not
configurable. It's an inconsistent behaviour.


Regards,
Marc

Am 13.02.2018 um 23:27 schrieb Denis Morejon:
> These are bad news. Cause we need both!
>
> In my network we use zone transfer to transfer our zones to remote DNS
> servers (In other cities). And we receive periodical security
> inspections and DNS zone transfers are target of questions.
>
> However, Thank you for your explanation. We have to decide between dlz
> and internal.
>
>
> How different might be internal from bind?  I mean, is Internal DNS
> flexible enough compared to bind ?
It's difficult to say. It depends on what you want to do with your DNS
server. BIND in general has a lot of more feature and configuration
options. However, not all of them are available through the DLZ module
we use to connect BIND to the Samba databases.


One idea (without knowing what you want to achieve) would be that you
join another Samba DC with DNS to the domain for each remote location.
Then AD replicates the AD DNS partition and you don't need the zone
transfer.

Or you just forward all request on your remote BIND DNS to the AD DNS
servers:
  zone "samdom.example.com" {
          type forward;
          forwarders { 192.168.1.1; 192.168.1.2; };
  };
Of course, this isn't the same as a local "copy" of the zone, but
if the
connection to the AD network is down, then the remote clients can't
reach the AD network anyway.


However, these are just some thoughts. If you tell us more about your
environment and what you want to achieve, we maybe find a suitable
solution/workaround.

Regards,
Marc

In addition to Marc comment. 

A "master/slave" setup with ADDC samba+bind works also fine. 
But only ADDC-master => NON-ADDC-slave, at least that what ive tested and
running.
My proxy servers are slaves. ( with a cacheing and forwarding setup )
And to protect your zone transfers.. Firewall whats needed ... 


Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marc 
> Muehlfeld via samba
> Verzonden: woensdag 14 februari 2018 16:15
> Aan: Denis Morejon; samba at lists.samba.org
> Onderwerp: Re: [Samba] I can't deny zone transfer when using 
> bind as DNS backend
> 
> Am 13.02.2018 um 23:27 schrieb Denis Morejon:
> > These are bad news. Cause we need both!
> >
> > In my network we use zone transfer to transfer our zones to 
> remote DNS
> > servers (In other cities). And we receive periodical security
> > inspections and DNS zone transfers are target of questions.
> >
> > However, Thank you for your explanation. We have to decide 
> between dlz
> > and internal.
> >
> >
> > How different might be internal from bind?  I mean, is Internal DNS
> > flexible enough compared to bind ?
> 
> It's difficult to say. It depends on what you want to do with your DNS
> server. BIND in general has a lot of more feature and configuration
> options. However, not all of them are available through the DLZ module
> we use to connect BIND to the Samba databases.
> 
> 
> One idea (without knowing what you want to achieve) would be that you
> join another Samba DC with DNS to the domain for each remote location.
> Then AD replicates the AD DNS partition and you don't need the zone
> transfer.
> 
> Or you just forward all request on your remote BIND DNS to the AD DNS
> servers:
>   zone "samdom.example.com" {
>           type forward;
>           forwarders { 192.168.1.1; 192.168.1.2; };
>   };
> Of course, this isn't the same as a local "copy" of the zone,
> but if the
> connection to the AD network is down, then the remote clients can't
> reach the AD network anyway.
> 
> 
> However, these are just some thoughts. If you tell us more about your
> environment and what you want to achieve, we maybe find a suitable
> solution/workaround.
> 
> Regards,
> Marc
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>