samba - Aug 2019 - Restrict who can query my DNS

Hello everyone, could you help me find a solution to restrict who can check my
DNS within my domain?

I have a domain controller with SAMBA4 and as DNS backend I use BIND9.

I would like to be able to define who are the IPs that I want to allow to
consult my DNS. I tried the following but I failed to get it
/etc/bind/named.conf.options 
... 
options { 
allow-query { 
localhost; 
}; 
.... 
} 

In essence, this should allow the domain controller itself to be the only one
that has permission to query itself, but when I try to query from a PC in my
domain, the DNS keeps responding to my queries. How could I avoid this?

On Thu, Aug 22, 2019 at 1:30 PM Leonardo Yanes Batista via samba
<samba at lists.samba.org> wrote:
>
> Hello everyone, could you help me find a solution to restrict who can check
my DNS within my domain?
>
> I have a domain controller with SAMBA4 and as DNS backend I use BIND9.
>
> I would like to be able to define who are the IPs that I want to allow to
consult my DNS. I tried the following but I failed to get it
> /etc/bind/named.conf.options
> ...
> options {
> allow-query {
> localhost;
> };
> ....
> }
>
> In essence, this should allow the domain controller itself to be the only
one that has permission to query itself, but when I try to query from a PC in my
domain, the DNS keeps responding to my queries. How could I avoid this?
>
      The lazy solution is to block port 53 TCP/UDP. Besides that,
could you have somewhere down your config files that is overruling the
allow-query{}? I also wonder if you add the IP of said server, as
IP/32; in the allow-query{}; list it will make bind happy. You know,
just in case it is being paperclip helpful.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Thank you very much for the promptness of your response.

blocking port 53 I don't think it's a good idea, at least in my
situation, since for example I would have to open it in the future to be able to
add new PCs to the domain.

I don't know if the samba configuration files, overwrite within the zone
configuration of my domain, who can query my DNS (I suppose it does), but I
can't find where I could modify it.


----- Original Message -----
From: "Mauricio Tavares" <raubvogel at gmail.com>
To: "Leonardo Yanes Batista" <informatico at alficsa.co.cu>
Cc: "samba" <samba at lists.samba.org>
Sent: Thursday, August 22, 2019 1:39:24 PM
Subject: Re: [Samba] Restrict who can query my DNS

On Thu, Aug 22, 2019 at 1:30 PM Leonardo Yanes Batista via samba
<samba at lists.samba.org> wrote:
>
> Hello everyone, could you help me find a solution to restrict who can check
my DNS within my domain?
>
> I have a domain controller with SAMBA4 and as DNS backend I use BIND9.
>
> I would like to be able to define who are the IPs that I want to allow to
consult my DNS. I tried the following but I failed to get it
> /etc/bind/named.conf.options
> ...
> options {
> allow-query {
> localhost;
> };
> ....
> }
>
> In essence, this should allow the domain controller itself to be the only
one that has permission to query itself, but when I try to query from a PC in my
domain, the DNS keeps responding to my queries. How could I avoid this?
>
      The lazy solution is to block port 53 TCP/UDP. Besides that,
could you have somewhere down your config files that is overruling the
allow-query{}? I also wonder if you add the IP of said server, as
IP/32; in the allow-query{}; list it will make bind happy. You know,
just in case it is being paperclip helpful.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 22/08/2019 18:30, Leonardo Yanes Batista via samba
wrote:
> Hello everyone, could you help me find a solution to restrict who can check
my DNS within my domain?
>
> I have a domain controller with SAMBA4 and as DNS backend I use BIND9.
>
> I would like to be able to define who are the IPs that I want to allow to
consult my DNS. I tried the following but I failed to get it
> /etc/bind/named.conf.options
> ...
> options {
> allow-query {
> localhost;
> };
> ....
> }
>
> In essence, this should allow the domain controller itself to be the only
one that has permission to query itself, but when I try to query from a PC in my
domain, the DNS keeps responding to my queries. How could I avoid this?
>
>
OK, I give in, why do you want to do something, that is, on the face of 
it, akin to unplugging your DC from the network ?

Your domain computers must be able to query the dns server on the DC.

Rowland

On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via samba
wrote:
> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote:
> > Hello everyone, could you help me find a solution to restrict who can
check my DNS within my domain?
> > 
> > I have a domain controller with SAMBA4 and as DNS backend I use BIND9.
> > 
> > I would like to be able to define who are the IPs that I want to allow
to consult my DNS. I tried the following but I failed to get it
> > /etc/bind/named.conf.options
> > ...
> > options {
> > allow-query {
> > localhost;
> > };
> > ....
> > }
> > 
> > In essence, this should allow the domain controller itself to be the
only one that has permission to query itself, but when I try to query from a PC
in my domain, the DNS keeps responding to my queries. How could I avoid this?
> > 
> > 
> OK, I give in, why do you want to do something, that is, on the face of it,
> akin to unplugging your DC from the network ?
> 
> Your domain computers must be able to query the dns server on the DC.
On a technical level at least, the source3 smbd server (and the
deprecated source4 ntvfs server) have the capability of using
the "hosts allow" and "hosts deny" lists set in the
smb.conf,
but these lists don't seem to be being consulted for access
to the samba binary AD-DC services.

Rowland, do you think it's worthwhile fixing the capability
to restrict AD-DC services in this way ?