Bug 14643 - [SECURITY] internal DNS server asking upstream DNS server about non-existent AD domain names
Summary: [SECURITY] internal DNS server asking upstream DNS server about non-existent ...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.13.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Blocks: 14079
  Show dependency treegraph
Reported: 2021-02-17 08:13 UTC by Andrew Bartlett
Modified: 2024-03-11 22:18 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-02-17 08:13:17 UTC
Sebastian on the samba mailing list reports:


I'd like to make Samba's internal DNS server authoritative for my AD domain, e.g. "ad.sebastian.intranet".
It shall not query the configured upstream forward DNS server for names below its AD domain.
If Samba's internal DNS server doesn't know a subdomain of the AD domain name, it simply does not exist.

If proven, this looks like a security issue as remote untrusted upstream nameservers could provide malicious addresses for internal names that should just get NXDOMAIN.
Comment 1 Andrew Bartlett 2024-02-29 20:56:56 UTC
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N (4.2)

This requires that there be a malicious upstream DNS server or the use of a not-registered DNS domain (common, but not our problem). 

The CVSS 3.1 is less than 5.0, so I will see advise on making this pubic.

Additionally, the original disclosure was public, so if we remove the embargo and treat as a normal bug, in the hope that this may encourage someone to implement a fix.
Comment 2 Andrew Bartlett 2024-03-11 22:18:38 UTC
Removing embargo as this bug doesn't meet our guidelines for an embargoed security release and the initial report was public anyway.