.png)
我有一个带有 OpenWRT BarrierBreaker 的 TP-Link WDR4300 路由器(vargalex 版本 1.1.7)。
我使用我的 Raspberry ( SMB, PMA, Plex, etc) DDNS( duckdns.org) 来访问 LAN 之外的路由器(我尝试在路由器上配置 VPN,但不知何故找不到正确的配置)。我的服务正在使用这些端口:139, 445, 8080, 8081, 8877, 56565但为什么53( dnsmasq) 端口被打开WAN,我无法阻止它。
netstat输出:
netstat -an
netstat -pln
nslookup输出:
> server <myremoteaddress>.duckdns.org
Default Server: remoteconnection.duckdns.org
Address: <myipaddress>
> google.com.
Server: <myremoteaddress>.duckdns.org
Address: <myipaddress>
Non-authoritative answer:
Name: google.com
Addresses: xxxx:yyyy:400d:zzzz::200e
***.***.72.20
***.***.72.34
***.***.72.45
***.***.72.24
***.***.72.49
***.***.72.44
***.***.72.39
***.***.72.25
***.***.72.30
***.***.72.54
***.***.72.40
***.***.72.29
***.***.72.50
***.***.72.59
***.***.72.55
***.***.72.35
我在用着Google DNS(8.8.8.8, 8.8.4.4)。
我尝试添加一些rule来阻止端口53,但没有成功......
我已将规则添加到配置firewall( /etc/config/firewall) 并连接到所需的端口:
config rule
option src 'wan'
option name 'block_port_53'
option dest_port '53'
option target 'REJECT'
option proto 'all'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
option enabled '0'
config rule
option src 'wan'
option dest 'lan'
option name 'restrict_dns_53_lan'
option dest_port '53'
option target 'REJECT'
config rule
option src 'wan'
option dest_port '53'
option name 'restrict_dns_forward'
option target 'REJECT'
option proto 'tcp udp'
option dest 'lan'
Guest DNS当前已禁用,并且它用于Guest WiFi(它是Guest DNS zone)。
我究竟做错了什么?
阻止端口的主要原因53是中国机器人试图重新绑定我的DNS.我的路由器System Log充满了这个:
Jul 4 20:12:53 dnsmasq[2524]: possible DNS-rebind attack detected: 9406151-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:53 dnsmasq[2524]: possible DNS-rebind attack detected: 9406163-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:53 dnsmasq[2524]: possible DNS-rebind attack detected: 9406153-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406166-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406154-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406157-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406156-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406148-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406149-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406155-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406160-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406164-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406158-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406150-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406161-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406147-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406152-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul 4 20:12:56 dnsmasq[2524]: possible DNS-rebind attack detected: 9406162-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:57 dnsmasq[2524]: possible DNS-rebind attack detected: 9406159-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:12:58 dnsmasq[2524]: possible DNS-rebind attack detected: 9406165-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul 4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376755-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul 4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376759-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul 4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376746-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.myxns.cn
Jul 4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376741-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.myxns.cn
Jul 4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376750-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.myxns.cn
Jul 4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376756-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul 4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376752-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul 4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376760-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul 4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376754-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul 4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376758-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul 4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376753-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
请帮我摆脱它们。
答案1
你有没有尝试过option proto 'tcpudp'?当您指定端口号时,文档及其在 iptables 中的工作方式都意味着这是必需的。 tcpudp实际上是默认的。所以你不想使用allor tcp udp(也不想udp使用,因为 DNS 在正常操作中可以使用这两种协议)。
[openwrt] 匹配针对给定目标端口或端口范围的传入流量,如果指定了相关原型。
[iptables] 如果指定了“--protocol tcp”,则可以使用这些扩展。它提供以下选项: ... --destination-port
答案2
对于任何希望在本文中执行此操作的人,您需要将以下两行添加到config dnsmasq中的块的末尾/etc/config/dhcp:
list interface 'lan'
list notinterface 'wan'
它应该是什么样子的示例:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolve.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list interface 'lan'
list notinterface 'wan'
如果使用露西, 去网络>常规设置并设置监听接口到局域网和排除接口到万。
版本:OpenWrt 23.05.0 r23497-6637af95aa / LuCI openwrt-23.05 分支 git-24.006.68745-9128656