我遇到了一个奇怪的问题,我的服务器现在拒绝进行 DNS 查找(使用 bind)。我使用 CentOS 机箱作为 OpenVPN 网关并向客户端提供 DNS 服务。一个月来一切都运行良好,符合预期,而今天 DNS 服务不再工作。配置没有改变...
这是named.conf文件:
options {
# Hide bind version
version "Not shown";
# Listen only on localhost and VPN gateway IPv4
listen-on port 53 { 127.0.0.1; 10.44.3.1; };
listen-on-v6 port 53 { ::1; };
# Forward requests to Google public DNS
forwarders { 8.8.8.8; 8.8.4.4; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; crypto; };
allow-recursion { localhost; crypto; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
acl crypto{
10.44.3.0/29; // SSL VPN
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
注意 ACL:服务器必须仅为来自 10.44.3.0/29 子网(10.44.3.1-10.44.3.6 IP 范围,.1 为网关)的客户端提供服务。现在,当我让客户端建立 VPN 隧道,然后监控 DNS 解析时,我可以通过 ICMP 错误消息判断它被拒绝了:
[root@vps50300 ~]# tcpdump -i tun0 host 10.44.3.6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
10:10:16.735977 IP 10.44.3.6.61219 > 10.44.3.1.domain: 1+ PTR? 1.3.44.10.in-addr.arpa. (40)
10:10:16.736038 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 76
10:10:18.736269 IP 10.44.3.6.61220 > 10.44.3.1.domain: 2+ A? www.google.com. (32)
10:10:18.736330 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
10:10:20.737701 IP 10.44.3.6.61221 > 10.44.3.1.domain: 3+ AAAA? www.google.com. (32)
10:10:20.737758 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
10:10:22.738068 IP 10.44.3.6.61222 > 10.44.3.1.domain: 4+ A? www.google.com. (32)
10:10:22.738154 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
10:10:24.737910 IP 10.44.3.6.61223 > 10.44.3.1.domain: 5+ AAAA? www.google.com. (32)
10:10:24.737965 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
最后但同样重要的一点是,我认为我的 iptable 看起来正确(来自 10.44.3.0/29 的所有流量都被接受和转发):
[root@vps50300 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1897K 320M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
229K 14M ACCEPT icmp -- any any anywhere anywhere
10957 820K ACCEPT all -- lo any anywhere anywhere
7128 421K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:http state NEW
7166 425K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:https state NEW
14457 819K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:ssh state NEW
59 2636 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:ftp state NEW
0 0 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:45632 state NEW
0 0 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:45633 state NEW
16 1120 ACCEPT udp -- venet0 any anywhere anywhere udp dpt:openvpn state NEW
47288 3095K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4062K 3220M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
43961 2562K ACCEPT all -- any any 10.44.3.0/29 anywhere
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3107K packets, 3306M bytes)
pkts bytes target prot opt in out source destination
但是我似乎仍然违反了其中一条规则,因为我收到了 ICMP 管理员禁止消息?
我不知道如何解决这个问题,如能提出任何建议我将不胜感激。
答案1
没有规则允许 DNS 流量到达您的主机(仅当源和目标都“不是本机”时,数据包才会由 FORWARD 链处理。如果 DNS 服务在这些规则所来自的服务器上运行,则必须查看 INPUT 链)。
尝试添加:iptables -i tun0 -I INPUT 8 -p udp --dsport 53 -j ACCEPT
。