New Patch: dns forwarder resolve only #134

Jean28518 · Aug 1, 2024 · 919d537 · 919d537
1 parent b6cb1a7
commit 919d537
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/src/lac/unix/unix_scripts/general/patches/2024-08-01_dns_forwarder_only.sh b/src/lac/unix/unix_scripts/general/patches/2024-08-01_dns_forwarder_only.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Get the current file name
+FILE_NAME=$(basename $0)
+# Get the date of the filename which is like this: 2024-06-25
+DATE=${FILE_NAME:0:10}
+# Check if the file is older than 365 days
+if [ $(( ($(date +%s) - $(date -d $DATE +%s)) / 86400 )) -gt 365 ]; then
+  echo "Patch is older than 365 days. Exiting patch."
+  exit 0
+fi
+
+# Check if we need to apply the patch
+# Check if "dns forwarder resolve only" is set in /etc/samba/smb.conf. If yes, then we need to exit the patch
+if grep -q "dns forwarder resolve only" /etc/samba/smb.conf; then
+  echo "dns forwarder resolve only is already set. Exiting patch."
+  exit 0
+fi
+
+# Set "dns forwarder resolve only" in /etc/samba/smb.conf
+echo "" >> /etc/samba/smb.conf
+echo "# Only resolve DNS requests via the forwarder" >> /etc/samba/smb.conf
+echo "dns forwarder resolve only = yes" >> /etc/samba/smb.conf
diff --git a/src/lac/unix/unix_scripts/general/setup_samba_dc.sh b/src/lac/unix/unix_scripts/general/setup_samba_dc.sh
@@ -99,6 +99,11 @@ echo "tls keyfile  = /etc/samba/tls/myKey.pem" >> /etc/samba/smb.conf
 echo "tls certfile = /etc/samba/tls/myCert.pem" >> /etc/samba/smb.conf
 echo "tls cafile   =" >> /etc/samba/smb.conf
 
+# Because of <https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-DNS-Resolver/Offene-DNS-Resolver.html>
+echo "" >> /etc/samba/smb.conf
+echo "# Only resolve DNS requests via the forwarder" >> /etc/samba/smb.conf
+echo "dns forwarder resolve only = yes" >> /etc/samba/smb.conf
+
 # Restart samba
 systemctl restart samba-ad-dc
 

diff --git a/src/lac/unix/unix_scripts/service.py b/src/lac/unix/unix_scripts/service.py
@@ -131,7 +131,7 @@ def ensure_fingerprint_is_trusted():
         possible_modules = os.listdir("/usr/share/linux-arbeitsplatz/unix/unix_scripts/")
         # Filter all folders which don't have a path like /root/[folder]
         # (Because we only want to run patches for installed modules or addons)
-        possible_modules = [folder for folder in possible_modules if os.path.isdir(f"/root/{folder}") or folder == "nextcloud"]
+        possible_modules = [folder for folder in possible_modules if os.path.isdir(f"/root/{folder}") or folder == "nextcloud" or folder == "general"]
         # Make the paths absolute
         for i in range(len(possible_modules)):
             possible_modules[i] = f"/usr/share/linux-arbeitsplatz/unix/unix_scripts/{possible_modules[i]}"