Skip to content

DNS updates allow/deny for SAMBA_INTERNAL dns server.

Matthew Grant requested to merge samba-team/devel/samba:grantma/dns-updates-allow-deny into master

Please review for merge, and tell me what the shortcomings are.

Mechanism for DNS update host/rrnet allow/deny lists. Three functions dns_update_check_access(), dns_update_get_caddr() (gets subject address for check from A, AAAA, and PTR records), and dns_update_ipaddr_check_access() are backended by allow_access_flag_lo() from lib/util/access.c using the already existing host allow/deny access mechanism.

The motivation for this is to control what DNS dynamic updates get added to the SAMBA_INTERNAL DNS in SOHO setups. With out this MS Windows by default adds all IP addresses on the PC, including IPv6 dynamic addresses from your ISP IPv6 delegated prefix, in its dynamic DNS updates to the AD DNS. This happens even when you have set up an fd00::/16 ULA prefix or RFC 1918 IPv4 addressing on your network....

The dns update rrnet allow/deny lists can be used to filter this, in combination with an interfaces = lo fd14:beee:baaa::DEAD::BEEF/64 statement. Forward and reverse DNS zones are supported.

Access by IP number for all dns update packets is controlled by the 'dns updates allow/deny' parameters.

This gives SAMBA_INTERNAL dns server the ability to deal with networking on small SOHO and SMB networks, as well access list control of where dynamic DNS updates are received from. This opens up being able to install an AD server in a SOHO/SMP small network with reasonable control of dynamic DNS updates, and obviates installing a 'complex/heavy' Samba/Bind9 DLZ setup with a DHCP server update script for just this reason.

Checklist

  • [*] Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • [*] Test suite updated with functionality tests
  • [*] Test suite updated with negative tests
  • [*] Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Matthew Grant

Merge request reports