Denis Morejon
2018-Feb-13 20:50 UTC
[Samba] I can't deny zone transfer when using bind as DNS backend
It doesn't work for me. I put allow-transfer {"none";}; in
named.conf.options. Reload the bind9 service. but I can not avoid the
zone transfer to the Active Directory Integrated Zone !
I use Samba 4.7.4 (From Source) and BIND 9.10.3-P4-Debian (Debian 9)
This configuration works well on standard zones but not on DLZ (Samba)
Zones.
El 13/02/18 a las 08:52, L.P.H. van Belle via samba
escribió:> Something like this.
>
>
> options {
> ....
> // ban everyone by default
> allow-transfer {"none";};
> };
> ...
> zone "example.com" in{
> ....
> // explicity allow the slave(s) in each zone
> allow-transfer {192.168.0.3;};
> };
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Denis Morejon via samba
>> Verzonden: dinsdag 13 februari 2018 14:44
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] I can't deny zone transfer when using bind
>> as DNS backend
>>
>> Hi:
>>
>> How can I either deny zone transfer or restrict it to some
>> DNS servers
>> when using DLZ ?
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
Rowland Penny
2018-Feb-13 21:14 UTC
[Samba] I can't deny zone transfer when using bind as DNS backend
On Tue, 13 Feb 2018 15:50:11 -0500 Denis Morejon via samba <samba at lists.samba.org> wrote:> It doesn't work for me. I put allow-transfer {"none";}; in > named.conf.options. Reload the bind9 service. but I can not avoid > the zone transfer to the Active Directory Integrated Zone ! > > I use Samba 4.7.4 (From Source) and BIND 9.10.3-P4-Debian (Debian 9) > > This configuration works well on standard zones but not on DLZ > (Samba) Zones.I think you are going to have to explain what you are trying to do, it sounds like you are trying to stop bind using the dns info in AD. Rowland
Denis Morejon
2018-Feb-13 21:30 UTC
[Samba] I can't deny zone transfer when using bind as DNS backend
Well, I'm using Samba 4.7.4 DC and bind 9.10.3 as DNS back end. I have a
zone called mydomain.cu into Samba where are placed our workstations and
servers records. This is my configuration.
I want to prevent zone transfer attacks to this zone by restricting the
hosts that could do it. I tried the allow-transfer {"none";}; in the
named.conf.options file but It doesn't work.
How can I prevent zone transfer in this type of zone ?
El 13/02/18 a las 16:14, Rowland Penny via samba
escribió:> On Tue, 13 Feb 2018 15:50:11 -0500
> Denis Morejon via samba <samba at lists.samba.org> wrote:
>
>> It doesn't work for me. I put allow-transfer {"none";};
in
>> named.conf.options. Reload the bind9 service. but I can not avoid
>> the zone transfer to the Active Directory Integrated Zone !
>>
>> I use Samba 4.7.4 (From Source) and BIND 9.10.3-P4-Debian (Debian 9)
>>
>> This configuration works well on standard zones but not on DLZ
>> (Samba) Zones.
> I think you are going to have to explain what you are trying to do, it
> sounds like you are trying to stop bind using the dns info in AD.
>
> Rowland
>