> > > Morning Louis, Unless I totally misread this, the OP only > wants the DC > to query itself, no clients. > > I could understand it if they only wanted domain members to > query the DC. > > Stop and think about this, a client wants to know where > another domain > member is, or worse still, where the DC is, who does it ask ? It asks > its nameserver, which is the DC, but the DC rejects its > request, so what > does it do ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Hmm, well, then its simple. Setup the pc's with static ips. Put the CIDR range they use in Bind configs or firewall. Wise... No, but the TS will most probley have a good reason for this setup. That is the part what i want to know from him, Why o Why? Greetz, Louis
On 23/08/2019 09:27, L.P.H. van Belle via samba wrote:>> Morning Louis, Unless I totally misread this, the OP only >> wants the DC >> to query itself, no clients. >> >> I could understand it if they only wanted domain members to >> query the DC. >> >> Stop and think about this, a client wants to know where >> another domain >> member is, or worse still, where the DC is, who does it ask ? It asks >> its nameserver, which is the DC, but the DC rejects its >> request, so what >> does it do ? >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > Hmm, well, then its simple. Setup the pc's with static ips. > Put the CIDR range they use in Bind configs or firewall. > > Wise... No, but the TS will most probley have a good reason for this setup. > That is the part what i want to know from him, Why o Why? > > > Greetz, > > Louis > >Not so simple as that, what about the ldap and kerberos records etc, how will the clients find those, if the dns server keeps rejecting their queries ? I cannot think of any valid reason for only the DC being able to query DNS. As I said it is akin to unplugging the ethernet cable. Rowland
In bind:
Allow-CIDR { ... Range/XX }
Deny-CIDR { ... Range/XX }
That stops use of DNS
And/or firewalling it,
Deny CIDR first for full server.
Allow CIDR for full server.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: vrijdag 23 augustus 2019 10:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Restrict who can query my DNS
>
> On 23/08/2019 09:27, L.P.H. van Belle via samba wrote:
> >> Morning Louis, Unless I totally misread this, the OP only
> >> wants the DC
> >> to query itself, no clients.
> >>
> >> I could understand it if they only wanted domain members to
> >> query the DC.
> >>
> >> Stop and think about this, a client wants to know where
> >> another domain
> >> member is, or worse still, where the DC is, who does it
> ask ? It asks
> >> its nameserver, which is the DC, but the DC rejects its
> >> request, so what
> >> does it do ?
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> > Hmm, well, then its simple. Setup the pc's with static ips.
> > Put the CIDR range they use in Bind configs or firewall.
> >
> > Wise... No, but the TS will most probley have a good reason
> for this setup.
> > That is the part what i want to know from him, Why o Why?
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> Not so simple as that, what about the ldap and kerberos
> records etc, how
> will the clients find those, if the dns server keeps rejecting their
> queries ?
What i think he wants todo.
Regular network.
AD-DC <=> Domain SERVER members ( allowed )
AD-DC <=> Domain JOINED pc's (members) ( allowed )
AD-DC <=> GUEST pc's/computers/phones etc. ( denied )
So you need 3 CIDR ranges.
Domain Server members
Domain computer members
Other.
Allow the first 2 deny the last, its not that hard todo.
And the "why" should tell us if he only needs DNS restrictions of full
server restrictions.
We will see.
>
> I cannot think of any valid reason for only the DC being able
> to query DNS. As I said it is akin to unplugging the ethernet cable.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On 23/08/2019 10:07, L.P.H. van Belle via samba wrote:> In bind: > Allow-CIDR { ... Range/XX } > Deny-CIDR { ... Range/XX } > That stops use of DNS > > And/or firewalling it, > > Deny CIDR first for full server. > Allow CIDR for full server.The OP posted this: /etc/bind/named.conf.options ... options { allow-query { localhost; }; He only wants the DC to be able to query dns, nothing else, just localhost. If he does manage to get this working, how are any other domain clients going to work ? They will not be able to find other clients, the DC, or anything from the internet, because the DNS server will reject their queries. I will say it again: doing this is just like pulling the ethernet cable out of the DC. Rowland
We dont know that Rowland. Read : https://tools.ietf.org/html/rfc6761 Chap 6.3.4 If i want to run a DC with the name s4dc.localhost Then i can and its not responding to dns request.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 23 augustus 2019 11:25 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Restrict who can query my DNS > > On 23/08/2019 10:07, L.P.H. van Belle via samba wrote: > > In bind: > > Allow-CIDR { ... Range/XX } > > Deny-CIDR { ... Range/XX } > > That stops use of DNS > > > > And/or firewalling it, > > > > Deny CIDR first for full server. > > Allow CIDR for full server. > > The OP posted this: > > /etc/bind/named.conf.options > ... > options { > allow-query { > localhost; > }; > > He only wants the DC to be able to query dns, nothing else, just localhost.So if he wants that.. He should have read: https://tools.ietf.org/html/rfc6761 chap 6.3.> > If he does manage to get this working, how are any other domain clients going to work ?Not our problem.> They will not be able to find other clients, the DC, or anything from the internet, > because the DNS server will reject their queries.Again, Not our problem, maybe that is exact what he wants. You know, i can setup a computer without DNS ipnumers and still work with AD-DC's..> > I will say it again: doing this is just like pulling the > ethernet cable out of the DC.Yes, yes, but again, we dont know what his (exact) goal/purpose is, so that is why i want more info first. You know something with assumption and mother... So first more info..> > RowlandLouis