Univention Bugzilla – Bug 53884
AXFR: Setting dns/allow/transfer=none doesn't work for Samba/AD DCs
Last modified: 2024-03-04 11:00:04 CET
Restricting AXFR on UCS Samba/AD DCs seems to be broken. Setting the UCR variable dns/allow/transfer to "none" doesn't have any effect on a Samba/AD DC: root@primary20:~# ucr get dns/backend samba4 root@primary20:~# ucr search dns/allow/transfer dns/allow/transfer: any This variable configures which systems may request the DNS zone information using a zone transfer. 'any' allows the transfer for everyone. 'none' denies the zone transfer altogether. Alternatively a list of allowed IP addresses or networks can be defined. In addition an ACL can be defined in /etc/bind/local.conf and referenced in the variable. Multiple entries need to be separated by semicolons. This option only applies when using the LDAP-Backend (see 'dns/backend'). root@primary20:~# ucr set dns/allow/transfer=none Setting dns/allow/transfer File: /etc/bind/named.conf.samba4 File: /etc/bind/named.conf.proxy root@primary20:~# rndc reload ## was not enough server reload successful root@primary20:~# systemctl restart bind9 ## also didn't change the behavior Still a run of `host -al ucs50domain.net 10.200.8.20` from an external system returns the zone. Temporarily changing dns/backend to 'ldap' and restarting bind9 shows the intended behavior. Maybe https://sleeplessbeastie.eu/2021/10/07/how-to-protect-samba-dns-server-against-dns-zone-transfer/ is relevant here. Not sure if this can be fixed by adjusting the UCR template for /etc/bind/named.conf.samba4 or if we need to backport a Samba patch.
*** This bug has been marked as a duplicate of bug 55047 ***