It was noted in bug 15058 that "hosts allow" does not apply to UDP dns traffic. Indeed, the parameter only appears to apply to 'stream' sockets in 'samba' (the AD DC) and SMB/SMB2 sockets in 'smbd'. (plus spoolss per-share checks). We should either apply this universally or document the limitations.