DNS 查找不再起作用 - 管理上已禁止

DNS 查找不再起作用 - 管理上已禁止

我遇到了一个奇怪的问题,我的服务器现在拒绝进行 DNS 查找(使用 bind)。我使用 CentOS 机箱作为 OpenVPN 网关并向客户端提供 DNS 服务。一个月来一切都运行良好,符合预期,而今天 DNS 服务不再工作。配置没有改变...

这是named.conf文件:

options {
        # Hide bind version
        version "Not shown";
        # Listen only on localhost and VPN gateway IPv4
        listen-on port 53 { 127.0.0.1; 10.44.3.1; };
        listen-on-v6 port 53 { ::1; };

        # Forward requests to Google public DNS
        forwarders { 8.8.8.8; 8.8.4.4; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; crypto; };
        allow-recursion { localhost; crypto; };
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

acl crypto{
        10.44.3.0/29; // SSL VPN
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

注意 ACL:服务器必须仅为来自 10.44.3.0/29 子网(10.44.3.1-10.44.3.6 IP 范围,.1 为网关)的客户端提供服务。现在,当我让客户端建立 VPN 隧道,然后监控 DNS 解析时,我可以通过 ICMP 错误消息判断它被拒绝了:

    [root@vps50300 ~]# tcpdump -i tun0 host 10.44.3.6
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
    10:10:16.735977 IP 10.44.3.6.61219 > 10.44.3.1.domain: 1+ PTR? 1.3.44.10.in-addr.arpa. (40)
    10:10:16.736038 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 76
    10:10:18.736269 IP 10.44.3.6.61220 > 10.44.3.1.domain: 2+ A? www.google.com. (32)
    10:10:18.736330 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
    10:10:20.737701 IP 10.44.3.6.61221 > 10.44.3.1.domain: 3+ AAAA? www.google.com. (32)
    10:10:20.737758 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
    10:10:22.738068 IP 10.44.3.6.61222 > 10.44.3.1.domain: 4+ A? www.google.com. (32)
    10:10:22.738154 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
    10:10:24.737910 IP 10.44.3.6.61223 > 10.44.3.1.domain: 5+ AAAA? www.google.com. (32)
    10:10:24.737965 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68

最后但同样重要的一点是,我认为我的 iptable 看起来正确(来自 10.44.3.0/29 的所有流量都被接受和转发):

[root@vps50300 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1897K  320M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
 229K   14M ACCEPT     icmp --  any    any     anywhere             anywhere            
10957  820K ACCEPT     all  --  lo     any     anywhere             anywhere            
 7128  421K ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:http state NEW 
 7166  425K ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:https state NEW 
14457  819K ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:ssh state NEW 
   59  2636 ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:ftp state NEW 
    0     0 ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:45632 state NEW 
    0     0 ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:45633 state NEW 
   16  1120 ACCEPT     udp  --  venet0 any     anywhere             anywhere            udp dpt:openvpn state NEW 
47288 3095K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
4062K 3220M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
43961 2562K ACCEPT     all  --  any    any     10.44.3.0/29         anywhere            
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 3107K packets, 3306M bytes)
 pkts bytes target     prot opt in     out     source               destination         

但是我似乎仍然违反了其中一条规则,因为我收到了 ICMP 管理员禁止消息?

我不知道如何解决这个问题,如能提出任何建议我将不胜感激。

答案1

没有规则允许 DNS 流量到达您的主机(仅当源和目标都“不是本机”时,数据包才会由 FORWARD 链处理。如果 DNS 服务在这些规则所来自的服务器上运行,则必须查看 INPUT 链)。

尝试添加:iptables -i tun0 -I INPUT 8 -p udp --dsport 53 -j ACCEPT

相关内容