我遇到了一个奇怪的问题,我的服务器现在拒绝做DNS查找(使用绑定)。 我使用CentOS盒子作为OpenVPN网关,为客户端提供DNS服务。 对于一个月,一切工作正常,如预期,今天的DNS服务不再工作。 没有改变configuration…
这是named.conf文件:
options { # Hide bind version version "Not shown"; # Listen only on localhost and VPN gateway IPv4 listen-on port 53 { 127.0.0.1; 10.44.3.1; }; listen-on-v6 port 53 { ::1; }; # Forward requests to Google public DNS forwarders { 8.8.8.8; 8.8.4.4; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; crypto; }; allow-recursion { localhost; crypto; }; recursion yes; dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; acl crypto{ 10.44.3.0/29; // SSL VPN }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; 请注意ACL:服务器必须仅为10.44.3.0/29子网(10.44.3.1-10.44.3.6 IP范围,.1为网关)中的客户端提供服务。 现在,当我得到客户端build立VPN隧道,然后监视DNSparsing,我可以告诉它由于ICMP错误消息被拒绝:
[root@vps50300 ~]# tcpdump -i tun0 host 10.44.3.6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes 10:10:16.735977 IP 10.44.3.6.61219 > 10.44.3.1.domain: 1+ PTR? 1.3.44.10.in-addr.arpa. (40) 10:10:16.736038 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 76 10:10:18.736269 IP 10.44.3.6.61220 > 10.44.3.1.domain: 2+ A? www.google.com. (32) 10:10:18.736330 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68 10:10:20.737701 IP 10.44.3.6.61221 > 10.44.3.1.domain: 3+ AAAA? www.google.com. (32) 10:10:20.737758 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68 10:10:22.738068 IP 10.44.3.6.61222 > 10.44.3.1.domain: 4+ A? www.google.com. (32) 10:10:22.738154 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68 10:10:24.737910 IP 10.44.3.6.61223 > 10.44.3.1.domain: 5+ AAAA? www.google.com. (32) 10:10:24.737965 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
最后但并非最不重要的一点,我认为我的iptable看起来是正确的(来自10.44.3.0/29的所有stream量都被接受和转发):
[root@vps50300 ~]# iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1897K 320M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 229K 14M ACCEPT icmp -- any any anywhere anywhere 10957 820K ACCEPT all -- lo any anywhere anywhere 7128 421K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:http state NEW 7166 425K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:https state NEW 14457 819K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:ssh state NEW 59 2636 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:ftp state NEW 0 0 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:45632 state NEW 0 0 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:45633 state NEW 16 1120 ACCEPT udp -- venet0 any anywhere anywhere udp dpt:openvpn state NEW 47288 3095K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4062K 3220M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 43961 2562K ACCEPT all -- any any 10.44.3.0/29 anywhere 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 3107K packets, 3306M bytes) pkts bytes target prot opt in out source destination
但是,自从我收到ICMPpipe理员禁止的消息后,我似乎仍然遇到了一个规则。
我不知道如何解决这个问题,任何build议,将不胜感激。
没有规则可以允许你的主机进行DNSstream量(只有在源和目的地都不是“本机”的情况下,数据包才会被FORWARD链处理)如果DNS服务在这些规则来自的服务器上运行,必须看看INPUT链)。
尝试添加: iptables -i tun0 -I INPUT 8 -p udp --dsport 53 -j ACCEPT 。