I use Bind as DNS backend. In the global section of my named.conf, zone transfers are forbidden: options { ... allow-transfer { none; }; ... }; This works fine for all zones, Bind serves - except the samba AD DNS zones: # dig @exon muc.medizinische-genetik.de. AXFR ; <<>> DiG 9.8.4-P1 <<>> @exon muc.medizinische-genetik.de. AXFR ; (1 server found) ;; global options: +cmd muc.medizinische-genetik.de. 3600 IN SOA exon.muc.medizinische-genetik.de. hostmaster.muc.medizinische-genetik.de. 38 900 600 86400 0 muc.medizinische-genetik.de. 900 IN NS exon.muc.medizinische-genetik.de. ... ... ... muc.medizinische-genetik.de. 3600 IN SOA exon.muc.medizinische-genetik.de. hostmaster.muc.medizinische-genetik.de. 38 900 600 86400 0 ;; Query time: 6 msec ;; SERVER: 192.168.29.2#53(192.168.29.2) ;; WHEN: Mon Feb 4 23:26:42 2013 ;; XFR size: 42 records (messages 1, bytes 1698) It seems the DLZ module doesn't respect the global "allow-transfer". Maybe if this can't be made configurable soon, then maybe the default should better be to reject transfers on that zone.
As I said at SambaXP, the moment you're inside the DLZ module, you don't get to decide this anymore. Out of curiosity, if you set a per-zone acl for this in the samba-created include, does that help?
Hello Kai, the following doesn't work: dlz "AD DNS Zone" { database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; allow-transfer { none; }; }; Bind won't start any more: May 20 17:59:49 exon named[79495]: /usr/local/samba/private/named.conf:14: unknown option 'allow-transfer' May 20 17:59:49 exon named[79495]: loading configuration: failure May 20 17:59:49 exon named[79495]: exiting (due to fatal error) Should I forward this as bug to ISC?
Yes, please do. As far as I understand there is nothing we can do about this in the DLZ module, so this is a bug in BIND. Closing as INVALID.
Apparently I can't go from NEW to CLOSED without going over RESOLVED. Go figure.
I reported the bug to ISC. It's tracked there with ID #33806.
Created attachment 8961 [details] Windows DNS MMC showing error when allowing transfers Hello Kai, I got the reply from ISC (see below). They say, that the allow/disallow of zone transfers has to be stored and validated in the DLZ database/module - what means, this bug report should be re-opened. If I look to the properties of my Samba managed zone, the default in the DNS MMC is that zone transfers are prohibited, but it is possible. Also I saw, that if I enable the "allow transfer" function in the DNS MMC, I get an error "function not supported". See screenshot. Regards, Marc -------- Original-Nachricht -------- Betreff: Re: [ISC-Bugs #33806] Bug report: Bind DLZ for Samba module allows zone transfers for everyone Datum: Tue, 11 Jun 2013 13:59:48 +0000 Von: Mark Andrews via RT <bind9-bugs@isc.org> > > DLZ zone tranfers are controlled by the zonetransfer method > > which is part of the DLZ implementation. > > > Sorry, but I haven't understood your reply. Can you be a bit more > detailed, please? > Whether to allow transfers is done is stored in the dlz database. If there is no method zone transfers are refused (result would be ISC_R_NOTIMPLEMENTED). Mark >From bin/named/xfrout.c if (result != ISC_R_SUCCESS) #ifdef DLZ { /* * Normal zone table does not have a match. * Try the DLZ database */ if (client->view->dlzdatabase != NULL) { result = dns_dlzallowzonexfr(client->view, question_name, &client->peeraddr, &db); if (result == ISC_R_NOPERM) { <snip failure logging> goto failure; } if (result != ISC_R_SUCCESS) #endif FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class);
Reopening and assigning to Amitay
BIND DLZ module currently allows all zone transfers as long as the zone exists. As per MS-DNSP spec, the zone transfers are controlled by DNS_ZONE_SECONDARY_SECURITY setting for the zone. Similarly, additional information about secondary servers is stored in other zone parameters. This information is not stored in AD but windows stores it elsewhere. Currently we don't have a way of storing extra information. How about using a tdb to store this information? That will allow us to support more features in future. Till then transfers will be always enabled for all IPs.
How does the internal DNS handle that? Contrary to BIND DLZ, the internal DNS doesn't allow zone transfers. Is this just a different default? Or where does the internal DNS store that information? If choosing the way to store that information in a separate TDB: Will the settings then be replicated to other DCs as well? Or is this a local per-Server setting on Windows, too.
As far as I know, internal DNS server does not support zone transfers (AXFR). [Adding Kai to CC list, so he can confirm this.] So the default behaviour for internal DNS server is to disallow zone transfers and for DLZ module is to allow all zone transfers. We can change the default to disallow all zone transfers, so that it's consistent with internal DNS server, till we can support correct access control. Regarding the other question, I think DNS settings that are not part of AD are per server basis in Windows. Would you be able to check and confirm if that is the case?
Correct, the internal server does not implement support for zone transfers. The reasoning here was that the internal server is designed for running ADs, and AD has replication to transfer zone data to another DC.
AXFR with Samba 4 Internal DNS are still an issue if you service many VPN based Site locations without an local AD , but Local dns/dhcpd i.e from an local alix vpn box. We am using Sernet-samba 4.1.3 with selfbuild Bind 9.9.6 ( due distro spnego issue ) and can say that AXFR restrictions works using this : options { //... allow-query { ip-range; }; allow-transfer { iprange; }; //... }; This works since we using the Bind Views . Without the Bind views have gotten same result as Marc reported.
(In reply to Remsnet LTD Support from comment #12) Hello, I have tried bind view, but AXFR restrictions is not success. Can anyone give me the configuration example of bind ?
hi, it's an issue where domain providers like ovh.net,online.net force you to set a secondary ns and the recommended way is to use their secondary dns which must be notified by your primary one.
Moving this defect to Samba 4.1 and newer since it's not yet resolved.
I am working on adding new configuration parameter "dns zone transfer clients". This will the list of IPs to which zone transfer would be allowed.
Hello. Any updates?
Hi, One of my clients asked for a fix on this issue. Seeing the comments on this thread, I implemented the suggested modification : add an option in smb.conf to control the list of authorized clients for a DNS zone transfer. The implementation has been submitted on github : https://github.com/samba-team/samba/pull/213 This is my first contribution - any comment is appreciated Regards, Julien
Julien's patchset has ended up here: https://gitlab.com/samba-team/samba/-/merge_requests/169 Progress appears to have stalled.
This bug was referenced in samba master: 0ec865d979540a63362a2014358c8bb27efc0081
Fixed in Samba 4.15.