Vulnerability Fixes with Samba4, Bind & SSL

Our vulnerability scanner has found below vulnerability with the Univention 4.4.1 version. I have tried to fix with available options but none of them are working. Please have a look & let me know if you can suggest any fixes for these issues.

1 #### DNS Server Zone Transfer Information Disclosure (AXFR)

What is the solution for this if samba4 is used for dns/backend. I have modified UCR variable dns/allow/transfer but it’s not working

2 #### DNS Server Cache Snooping Remote Information Disclosure

How to fix recursive queries with Bind/Samba4 DNS ?

3 #### Microsoft Windows SMB NULL Session Authentication

Modied UCR values to below but the vulnerbility is still there
samba/map_to_guest = Never
samba/usershare/allow_guests = no
samba/guest_ok = no

4 #### SSL Certificate Cannot Be Trusted & Self Signed

The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=IN/ST=IN/L=IN/O=IN/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=…0eljw…)/


What steps we can take for better security with UCS 4.4.1?

The 4th and last element should be simple: Import the UCS CA certificate into your vulnerability scanner or the OS you run the scanner. (This depends on the software an OS) A root CA is always self-signed, otherwise it would be an intermediate CA or a Server/Client certificate.