Description Arvid Requate 2021-10-08 11:25:52 CEST

Restricting AXFR on UCS Samba/AD DCs seems to be broken. Setting the UCR variable dns/allow/transfer to "none" doesn't have any effect on a Samba/AD DC:

root@primary20:~# ucr get dns/backend
samba4
root@primary20:~# ucr search dns/allow/transfer
dns/allow/transfer: any
 This variable configures which systems may request the DNS zone information using a zone transfer. 'any' allows the transfer for everyone. 'none' denies the zone transfer altogether. Alternatively a list of allowed IP addresses or networks can be defined. In addition an ACL can be defined in /etc/bind/local.conf and referenced in the variable. Multiple entries need to be separated by semicolons. This option only applies when using the LDAP-Backend (see 'dns/backend').

root@primary20:~# ucr set dns/allow/transfer=none
Setting dns/allow/transfer
File: /etc/bind/named.conf.samba4
File: /etc/bind/named.conf.proxy
root@primary20:~# rndc reload    ## was not enough
server reload successful
root@primary20:~# systemctl restart bind9   ## also didn't change the behavior

Still a run of `host -al ucs50domain.net 10.200.8.20` from an external system returns the zone.

Temporarily changing dns/backend to 'ldap' and restarting bind9 shows the intended behavior.

Maybe https://sleeplessbeastie.eu/2021/10/07/how-to-protect-samba-dns-server-against-dns-zone-transfer/ is relevant here. Not sure if this can be fixed by adjusting the UCR template for /etc/bind/named.conf.samba4 or if we need to backport a Samba patch.