Securing Samba4 AD DC DNS AXFR

I recently ran into some issues limiting DNS AXFR using the Turnkey Linux Domain Controller appliance. The Turnkey Linux image (version 16.9 at the time of writing) ships with Debian 10 Buster as the base image and includes Samba 4.9. There are two DNS options with versions 4.4 – 4.15, internal DNS which does not allow AXFR at all, and Bind9-DLZ which has no way to disable or limit AXFR.

Our use case requires DNS AXFR to be limited to just 2 up stream DNS servers. Given this limitation I had to use Bind9-DLZ but had no way to limit DNS AXFR requests. Shortly after giving up and replacing our TKL Samba4 BDC with an Ubuntu BDC which has packages for samba 4.15 I found a work around. Enter DNSDIST and a blog post describing using it to limit Samba4 Bind-DLZ AXFR requests.

DNSDIST is a package which provides DNS proxying and has options to limit AXFR and other requests. The blog post above didn’t work for me and needed a little tweaking to run. Below is the config I found works as of 3/2022 with Turnkey Linux DC v16.9:

first install and configure DNSDIST:

sudo apt install dnsdist
sudo vi /etc/dnsdist/dnsdist.conf
-- dnsdist configuration file

-- disable security status polling via DNS
setSecurityPollSuffix("")

-- listen address
addLocal('10.10.1.2:53')

-- allow queries from
setACL({'10.10.0.0/16'})

-- backend server
newServer("127.0.0.1:54")

-- drop every query type SOA, AXFR, IXFR with exception of trusted servers
trusted_servers = newNMG()
trusted_servers:addMask("10.10.1.1")
trusted_servers:addMask("10.11.1.0/30")
addAction(
  AndRule({
    NotRule(NetmaskGroupRule(trusted_servers)),
    OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)})
  }),
  DropAction()
)

next verify the DNSDIST config:

dnsdist --check-config

If it comes back OK restart bind and DNSDIST and verify that your DNS AXFR requests are limited as expect.