我有一个DNS服务器启动并为example.comconfiguration单个DNS区域运行服务器上运行的以下命令返回configuration的DNS区域logging:
#dig example.com @ ns1.example.com
;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 10800 IN A 10.0.0.1 ;; AUTHORITY SECTION: example.com. 10800 IN NS ns2.example.com. example.com. 10800 IN NS ns1.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 10800 IN A 10.0.0.1 ns2.example.com. 10800 IN A 10.0.0.1 我的/ etc / hosts文件:
127.0.0.1 example.com www.example.com 127.0.0.1 ns1.example.com ns2..example.com
当我尝试从其他服务器查询DNS服务器时: $ dig example.com @ 10.0.0.1
;; connection timed out; no servers could be reached
服务器的实际公共IP地址被replace为10.0.0.1我相信这个问题很可能是由iptables过滤引起的,因为DNS服务响应本地查询。 这是我的iptables规则:
Chain INPUT (policy DROP 14 packets, 1498 bytes) num pkts bytes target prot opt in out source destination 1 259 157K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2 325 26717 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 287K 149M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 14721 872K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 5 165 7988 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 48 packets, 2949 bytes) num pkts bytes target prot opt in out source destination 1 259 157K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2 292K 46M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 3 16605 1195K ACCEPT udp -- * * 0.0.0.0/0 8.8.8.8 udp dpt:53 4 130 9822 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 5 430 18880 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 6 342 148K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
我试图允许使用以下规则在端口53上允许TCP和UDP的传入/传出连接,但不幸的是DNS服务仍然无法从Internet访问:
iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -m conntrack --cstate NEW -j ACCEPT iptables -A INPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
这是一个TCPDUMP:
[root@localhost ~]# tcpdump port 53 and host {my_ip} tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 08:03:43.011650 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679618 ecr 0,nop,wscale 6], length 0 08:03:44.006447 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679718 ecr 0,nop,wscale 6], length 0 08:03:46.006615 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679918 ecr 0,nop,wscale 6], length 0 08:03:50.016643 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396680319 ecr 0,nop,wscale 6], length 0 08:03:58.026589 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396681120 ecr 0,nop,wscale 6], length 0 08:04:14.066598 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396682724 ecr 0,nop,wscale 6], length 0 08:04:46.186714 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396685936 ecr 0,nop,wscale 6], length 0 7 packets captured 7 packets received by filter 0 packets dropped by kernel
任何提示将不胜感激:)
我想我得到了你的问题,iptables规则对应于OUTPUT链是阻止udp 53端口stream量从接口已分配10.0.0.1 IP。
请使用以下命令。
iptables -A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
第一次更新
请检查绑定是否正在监听所有接口,即named.conf有监听{任何; };