|
1 |
From: Benjamin Bohard <bbohard@cadoles.com>
|
|
2 |
Date: Mon, 30 Dec 2019 10:38:47 +0100
|
|
3 |
Subject: DLZ bind zone transfer restriction
|
|
4 |
|
|
5 |
---
|
|
6 |
.../smbdotconf/domain/dnszonetransferclients.xml | 19 ++++++++++++++++
|
|
7 |
source4/dns_server/dlz_bind9.c | 26 +++++++++++++++++++++-
|
|
8 |
2 files changed, 44 insertions(+), 1 deletion(-)
|
|
9 |
create mode 100644 docs-xml/smbdotconf/domain/dnszonetransferclients.xml
|
|
10 |
|
|
11 |
diff --git a/docs-xml/smbdotconf/domain/dnszonetransferclients.xml b/docs-xml/smbdotconf/domain/dnszonetransferclients.xml
|
|
12 |
new file mode 100644
|
|
13 |
index 0000000..3529e60
|
|
14 |
--- /dev/null
|
|
15 |
+++ b/docs-xml/smbdotconf/domain/dnszonetransferclients.xml
|
|
16 |
@@ -0,0 +1,19 @@
|
|
17 |
+<samba:parameter name="dns zone transfer clients"
|
|
18 |
+ context="G"
|
|
19 |
+ type="cmdlist"
|
|
20 |
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
21 |
+<description>
|
|
22 |
+ <para>This option specifies the list IPs authorized to ask for dns zone
|
|
23 |
+ transfer.
|
|
24 |
+ </para>
|
|
25 |
+
|
|
26 |
+ <para>The content is a comma-separated list of IP addresses.
|
|
27 |
+ </para>
|
|
28 |
+
|
|
29 |
+ <para>Default is "none", meaning no transfer will be authorized.
|
|
30 |
+ </para>
|
|
31 |
+</description>
|
|
32 |
+
|
|
33 |
+<value type="default">none</value>
|
|
34 |
+<value type="example">192.168.0.1</value>
|
|
35 |
+</samba:parameter>
|
|
36 |
diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
|
|
37 |
index 5f9a71d..eb4703c 100644
|
|
38 |
--- a/source4/dns_server/dlz_bind9.c
|
|
39 |
+++ b/source4/dns_server/dlz_bind9.c
|
|
40 |
@@ -938,7 +938,31 @@ _PUBLIC_ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const cha
|
|
41 |
/* just say yes for all our zones for now */
|
|
42 |
struct dlz_bind9_data *state = talloc_get_type(
|
|
43 |
dbdata, struct dlz_bind9_data);
|
|
44 |
- return b9_find_zone_dn(state, name, NULL, NULL);
|
|
45 |
+ isc_result_t ret ;
|
|
46 |
+ const char **authorized_clients ;
|
|
47 |
+ unsigned int i ;
|
|
48 |
+
|
|
49 |
+ /* check that the zone is known */
|
|
50 |
+ ret = b9_find_zone_dn(state, name, NULL, NULL);
|
|
51 |
+ if (ret == ISC_R_SUCCESS) {
|
|
52 |
+ authorized_clients = lpcfg_dns_zone_transfer_clients(state->lp) ;
|
|
53 |
+ if (authorized_clients) {
|
|
54 |
+ state->log(ISC_LOG_INFO, "samba_dlz: checking if client is authorized for zone transfer") ;
|
|
55 |
+
|
|
56 |
+ /* if the option is not set, default is to accept all transfers
|
|
57 |
+ if the option is set, default is to accept only the selected IPs */
|
|
58 |
+ ret = ISC_R_NOPERM ;
|
|
59 |
+ for (i = 0; authorized_clients && authorized_clients[i] ; i++) {
|
|
60 |
+ state->log(ISC_LOG_INFO, "samba_dlz: comparing to %s", authorized_clients[i]) ;
|
|
61 |
+ if (strcmp(authorized_clients[i], client) == 0) {
|
|
62 |
+ state->log(ISC_LOG_INFO, "samba_dlz: accepting IP %s", client) ;
|
|
63 |
+ ret = ISC_R_SUCCESS ;
|
|
64 |
+ break ;
|
|
65 |
+ }
|
|
66 |
+ }
|
|
67 |
+ }
|
|
68 |
+ }
|
|
69 |
+ return ret ;
|
|
70 |
}
|
|
71 |
|
|
72 |
/*
|