Problem DNS Allow Quey

UCS - Univention Corporate Server
, ,
#1

UCS: 5.0.6
Bind9: BIND 9.11.5-P4-5.1+deb10u9A~5.0.4.202307241136-Univention (Extended Support Version) id:998753c

I’m encountering a bit of a challenge with my UCS configuration and could use some guidance. My objective is to implement a configuration that restricts all traffic except that originating from the subnet 192.168.4.0/28. To achieve this, I utilized the command ucr set dns/allow/query="192.168.4.0/28" and then ucr commit /etc/bind/named.conf.samba4. However, it seems that despite applying this configuration, traffic from hosts within the subnet, such as 192.168.4.89, is still being allowed to make queries.

Here’s an example:

 nslookup serverx.company.corp 192.168.4.13
Server:    192.168.4.13
Address 1: 192.168.4.13 ucs.company.corp

Name:      serverx.company.corp
Address 1: 192.168.4.14 serverx.company.corp

As you can see, even though the originating IP is within the specified subnet, the query is still permitted. I haved tried to modify the bind9 config files: /etc/bind/named.conf, /etc/univention/templates/files/etc/bind/named.conf as follows and restarting BIND:
This is my /etc/bind/named.conf:

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
#       /etc/univention/templates/files/etc/bind/named.conf
#

controls{
        inet 127.0.0.1
        port 55555
        allow { 127.0.0.1; };
};
options {
        recursion no;
        directory "/var/cache/bind";
        allow-query { 192.168.4.0/28; };
        also-notify {
                127.0.0.1;
        };
        listen-on { any; };
        listen-on-v6 { any; };
};

logging {
        category default{ default_syslog; };
        channel default_syslog {
                syslog daemon;          # send to syslog's daemon facility
                severity dynamic;       # log at the server's current debug level
        };
};

include "/etc/bind/univention.conf";
include "/etc/bind/local.conf";

and this is my /etc/univention/templates/files/etc/bind/named.conf

@%@UCRWARNING=# @%@

controls{
        inet 127.0.0.1
        port 55555
        allow { 127.0.0.1; };
};
options {
        recursion no;
        directory "/var/cache/bind";
        allow-query { 192.168.4.0/28; };
        also-notify {
                127.0.0.1;
        };
        listen-on { any; };
@!@
val = 'none'
if configRegistry.is_true('dns/ipv6', True):
    val = 'any'
print('\tlisten-on-v6 { %s; };' % val)
@!@};

logging {
        category default{ default_syslog; };
        channel default_syslog {
                syslog daemon;          # send to syslog's daemon facility
                severity dynamic;       # log at the server's current debug level
        };
};

include "/etc/bind/univention.conf";
include "/etc/bind/local.conf";
Mastodon