Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain? I have a domain controller with SAMBA4 and as DNS backend I use BIND9. I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it /etc/bind/named.conf.options ... options { allow-query { localhost; }; .... } In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this?
On Thu, Aug 22, 2019 at 1:30 PM Leonardo Yanes Batista via samba <samba at lists.samba.org> wrote:> > Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain? > > I have a domain controller with SAMBA4 and as DNS backend I use BIND9. > > I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it > /etc/bind/named.conf.options > ... > options { > allow-query { > localhost; > }; > .... > } > > In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this? >The lazy solution is to block port 53 TCP/UDP. Besides that, could you have somewhere down your config files that is overruling the allow-query{}? I also wonder if you add the IP of said server, as IP/32; in the allow-query{}; list it will make bind happy. You know, just in case it is being paperclip helpful.> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Thank you very much for the promptness of your response. blocking port 53 I don't think it's a good idea, at least in my situation, since for example I would have to open it in the future to be able to add new PCs to the domain. I don't know if the samba configuration files, overwrite within the zone configuration of my domain, who can query my DNS (I suppose it does), but I can't find where I could modify it. ----- Original Message ----- From: "Mauricio Tavares" <raubvogel at gmail.com> To: "Leonardo Yanes Batista" <informatico at alficsa.co.cu> Cc: "samba" <samba at lists.samba.org> Sent: Thursday, August 22, 2019 1:39:24 PM Subject: Re: [Samba] Restrict who can query my DNS On Thu, Aug 22, 2019 at 1:30 PM Leonardo Yanes Batista via samba <samba at lists.samba.org> wrote:> > Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain? > > I have a domain controller with SAMBA4 and as DNS backend I use BIND9. > > I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it > /etc/bind/named.conf.options > ... > options { > allow-query { > localhost; > }; > .... > } > > In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this? >The lazy solution is to block port 53 TCP/UDP. Besides that, could you have somewhere down your config files that is overruling the allow-query{}? I also wonder if you add the IP of said server, as IP/32; in the allow-query{}; list it will make bind happy. You know, just in case it is being paperclip helpful.> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote:> Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain? > > I have a domain controller with SAMBA4 and as DNS backend I use BIND9. > > I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it > /etc/bind/named.conf.options > ... > options { > allow-query { > localhost; > }; > .... > } > > In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this? > >OK, I give in, why do you want to do something, that is, on the face of it, akin to unplugging your DC from the network ? Your domain computers must be able to query the dns server on the DC. Rowland
On Thu, Aug 22, 2019 at 07:01:32PM +0100, Rowland penny via samba wrote:> On 22/08/2019 18:30, Leonardo Yanes Batista via samba wrote: > > Hello everyone, could you help me find a solution to restrict who can check my DNS within my domain? > > > > I have a domain controller with SAMBA4 and as DNS backend I use BIND9. > > > > I would like to be able to define who are the IPs that I want to allow to consult my DNS. I tried the following but I failed to get it > > /etc/bind/named.conf.options > > ... > > options { > > allow-query { > > localhost; > > }; > > .... > > } > > > > In essence, this should allow the domain controller itself to be the only one that has permission to query itself, but when I try to query from a PC in my domain, the DNS keeps responding to my queries. How could I avoid this? > > > > > OK, I give in, why do you want to do something, that is, on the face of it, > akin to unplugging your DC from the network ? > > Your domain computers must be able to query the dns server on the DC.On a technical level at least, the source3 smbd server (and the deprecated source4 ntvfs server) have the capability of using the "hosts allow" and "hosts deny" lists set in the smb.conf, but these lists don't seem to be being consulted for access to the samba binary AD-DC services. Rowland, do you think it's worthwhile fixing the capability to restrict AD-DC services in this way ?