Bug 9634 - Samba Bind DLZ module allows zone transfers for everyone
Summary: Samba Bind DLZ module allows zone transfers for everyone
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS plugin (BIND DLZ) (show other bugs)
Version: 4.1.0
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Amitay Isaacs
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-04 22:33 UTC by Marc Muehlfeld
Modified: 2022-10-05 22:02 UTC (History)
13 users (show)

See Also:


Attachments
Windows DNS MMC showing error when allowing transfers (160.25 KB, image/png)
2013-06-11 14:38 UTC, Marc Muehlfeld
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2013-02-04 22:33:12 UTC
I use Bind as DNS backend. In the global section of my named.conf, zone transfers are forbidden:

options {
    ...
    allow-transfer { none; };
    ...
};


This works fine for all zones, Bind serves - except the samba AD DNS zones:

# dig @exon muc.medizinische-genetik.de. AXFR

; <<>> DiG 9.8.4-P1 <<>> @exon muc.medizinische-genetik.de. AXFR
; (1 server found)
;; global options: +cmd
muc.medizinische-genetik.de. 3600 IN    SOA     exon.muc.medizinische-genetik.de. hostmaster.muc.medizinische-genetik.de. 38 900 600 86400 0
muc.medizinische-genetik.de. 900 IN     NS      exon.muc.medizinische-genetik.de.
...
...
...
muc.medizinische-genetik.de. 3600 IN    SOA     exon.muc.medizinische-genetik.de. hostmaster.muc.medizinische-genetik.de. 38 900 600 86400 0
;; Query time: 6 msec
;; SERVER: 192.168.29.2#53(192.168.29.2)
;; WHEN: Mon Feb  4 23:26:42 2013
;; XFR size: 42 records (messages 1, bytes 1698)



It seems the DLZ module doesn't respect the global "allow-transfer".


Maybe if this can't be made configurable soon, then maybe the default should better be to reject transfers on that zone.
Comment 1 Kai Blin 2013-05-20 08:58:53 UTC
As I said at SambaXP, the moment you're inside the DLZ module, you don't get to decide this anymore. Out of curiosity, if you set a per-zone acl for this in the samba-created include, does that help?
Comment 2 Marc Muehlfeld 2013-05-20 16:05:24 UTC
Hello Kai,

the following doesn't work:

dlz "AD DNS Zone" {
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
    allow-transfer { none; };
};

Bind won't start any more:

May 20 17:59:49 exon named[79495]: /usr/local/samba/private/named.conf:14: unknown option 'allow-transfer'
May 20 17:59:49 exon named[79495]: loading configuration: failure
May 20 17:59:49 exon named[79495]: exiting (due to fatal error)


Should I forward this as bug to ISC?
Comment 3 Kai Blin 2013-06-09 08:09:26 UTC
Yes, please do. As far as I understand there is nothing we can do about this in the DLZ module, so this is a bug in BIND. Closing as INVALID.
Comment 4 Kai Blin 2013-06-09 08:10:04 UTC
Apparently I can't go from NEW to CLOSED without going over RESOLVED. Go figure.
Comment 5 Marc Muehlfeld 2013-06-11 10:19:32 UTC
I reported the bug to ISC. It's tracked there with ID #33806.
Comment 6 Marc Muehlfeld 2013-06-11 14:38:09 UTC
Created attachment 8961 [details]
Windows DNS MMC showing error when allowing transfers

Hello Kai,

I got the reply from ISC (see below). They say, that the allow/disallow of zone transfers has to be stored and validated in the DLZ database/module - what means, this bug report should be re-opened.

If I look to the properties of my Samba managed zone, the default in the DNS MMC is that zone transfers are prohibited, but it is possible.

Also I saw, that if I enable the "allow transfer" function in the DNS MMC, I get an error "function not supported". See screenshot.

Regards,
Marc





-------- Original-Nachricht --------
Betreff: Re: [ISC-Bugs #33806] Bug report: Bind DLZ for Samba module allows zone transfers for everyone
Datum: Tue, 11 Jun 2013 13:59:48 +0000
Von: Mark Andrews via RT <bind9-bugs@isc.org>


> > DLZ zone tranfers are controlled by the zonetransfer method
> > which is part of the DLZ implementation.
> 
> 
> Sorry, but I haven't understood your reply. Can you be a bit more 
> detailed, please?
> 

 
Whether to allow transfers is done is stored in the dlz database.
If there is no method zone transfers are refused (result would be
ISC_R_NOTIMPLEMENTED).

Mark

>From bin/named/xfrout.c
        if (result != ISC_R_SUCCESS)
#ifdef DLZ
        {
                /*
                 * Normal zone table does not have a match.
                 * Try the DLZ database
                 */
                if (client->view->dlzdatabase != NULL) {
                        result = dns_dlzallowzonexfr(client->view,
                                                     question_name,
                                                     &client->peeraddr,
                                                     &db);

                        if (result == ISC_R_NOPERM) {
				<snip failure logging>
				goto failure;
                        }
                        if (result != ISC_R_SUCCESS)
#endif
                        FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
                                  question_name, question_class);
Comment 7 Kai Blin 2013-06-29 06:59:55 UTC
Reopening and assigning to Amitay
Comment 8 Amitay Isaacs 2013-06-30 14:12:53 UTC
BIND DLZ module currently allows all zone transfers as long as the zone exists.  

As per MS-DNSP spec, the zone transfers are controlled by DNS_ZONE_SECONDARY_SECURITY setting for the zone.  Similarly, additional information about secondary servers is stored in other zone parameters. This information is not stored in AD but windows stores it elsewhere.

Currently we don't have a way of storing extra information.  How about using a tdb to store this information?  That will allow us to support more features in future.  Till then transfers will be always enabled for all IPs.
Comment 9 Marc Muehlfeld 2013-06-30 16:37:49 UTC
How does the internal DNS handle that? Contrary to BIND DLZ, the internal DNS doesn't allow zone transfers. Is this just a different default? Or where does the internal DNS store that information?


If choosing the way to store that information in a separate TDB: Will the settings then be replicated to other DCs as well? Or is this a local per-Server setting on Windows, too.
Comment 10 Amitay Isaacs 2013-07-01 02:29:44 UTC
As far as I know, internal DNS server does not support zone transfers (AXFR).  [Adding Kai to CC list, so he can confirm this.]

So the default behaviour for internal DNS server is to disallow zone transfers and for DLZ module is to allow all zone transfers.  We can change the default to disallow all zone transfers, so that it's consistent with internal DNS server, till we can support correct access control.

Regarding the other question, I think DNS settings that are not part of AD are per server basis in Windows.  Would you be able to check and confirm if that is the case?
Comment 11 Kai Blin 2013-07-01 06:04:56 UTC
Correct, the internal server does not implement support for zone transfers. The reasoning here was that the internal server is designed for running ADs, and AD has replication to transfer zone data to another DC.
Comment 12 Remsnet (dead mail address) 2014-11-21 09:46:18 UTC
AXFR with Samba 4 Internal DNS are still an issue if you service many VPN based Site locations without an local AD ,  but Local dns/dhcpd i.e from an local alix vpn box.

We am using Sernet-samba 4.1.3 with selfbuild Bind 9.9.6 ( due distro spnego issue ) and can say that AXFR restrictions works using this :

options {
//...
        allow-query     { ip-range; };
        allow-transfer  { iprange; };
//...
};

This works since we using the Bind Views .
Without the Bind views have gotten same result as Marc reported.
Comment 13 Kelvin Yip 2014-11-28 02:54:15 UTC
(In reply to Remsnet LTD Support from comment #12)
Hello,

I have tried bind view, but AXFR restrictions is not success.
Can anyone give me the configuration example of bind ?
Comment 14 keatsy 2015-03-18 20:09:31 UTC
hi, 
it's an issue where domain providers like ovh.net,online.net force you to set a secondary ns and the recommended way is to use their secondary dns which must be notified by your primary one.
Comment 15 Amitay Isaacs 2016-09-28 00:39:14 UTC
Moving this defect to Samba 4.1 and newer since it's not yet resolved.
Comment 16 Amitay Isaacs 2016-09-28 01:10:20 UTC
I am working on adding new configuration parameter "dns zone transfer clients". This will the list of IPs to which zone transfer would be allowed.
Comment 17 Dron 2017-04-14 12:59:25 UTC
Hello.
Any updates?
Comment 18 Julien ROPÉ 2018-11-27 10:04:49 UTC
Hi,

One of my clients asked for a fix on this issue. Seeing the comments on this thread, I implemented the suggested modification : add an option in smb.conf to control the list of authorized clients for a DNS zone transfer.

The implementation has been submitted on github : https://github.com/samba-team/samba/pull/213

This is my first contribution - any comment is appreciated

Regards,
Julien
Comment 19 Douglas Bagnall 2020-08-26 03:56:05 UTC
Julien's patchset has ended up here:

https://gitlab.com/samba-team/samba/-/merge_requests/169

Progress appears to have stalled.
Comment 20 Samba QA Contact 2021-06-11 19:29:03 UTC
This bug was referenced in samba master:

0ec865d979540a63362a2014358c8bb27efc0081
Comment 21 Jennifer Sutton 2022-10-05 22:02:21 UTC
Fixed in Samba 4.15.