我遇到了一个奇怪的问题,我的服务器现在拒绝进行 DNS 查找(使用绑定)。我使用 CentOS 机器作为 OpenVPN 网关并向客户端提供 DNS 服务。一个月以来,一切都按预期正常工作,而今天 DNS 服务不再工作。没有对配置进行任何更改...
这是 named.conf 文件:
options {
# Hide bind version
version "Not shown";
# Listen only on localhost and VPN gateway IPv4
listen-on port 53 { 127.0.0.1; 10.44.3.1; };
listen-on-v6 port 53 { ::1; };
# Forward requests to Google public DNS
forwarders { 8.8.8.8; 8.8.4.4; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; crypto; };
allow-recursion { localhost; crypto; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
acl crypto{
10.44.3.0/29; // SSL VPN
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
注意 ACL :服务器必须只为来自 10.44.3.0/29 子网的客户端(10.44.3.1-10.44.3.6 IP 范围,.1 是网关)提供服务。现在,当我让客户端建立 VPN 隧道,然后监控 DNS 解析时,我可以看出它由于 ICMP 错误消息而被拒绝:
[root@vps50300 ~]# tcpdump -i tun0 host 10.44.3.6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
10:10:16.735977 IP 10.44.3.6.61219 > 10.44.3.1.domain: 1+ PTR? 1.3.44.10.in-addr.arpa. (40)
10:10:16.736038 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 76
10:10:18.736269 IP 10.44.3.6.61220 > 10.44.3.1.domain: 2+ A? www.google.com. (32)
10:10:18.736330 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
10:10:20.737701 IP 10.44.3.6.61221 > 10.44.3.1.domain: 3+ AAAA? www.google.com. (32)
10:10:20.737758 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
10:10:22.738068 IP 10.44.3.6.61222 > 10.44.3.1.domain: 4+ A? www.google.com. (32)
10:10:22.738154 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
10:10:24.737910 IP 10.44.3.6.61223 > 10.44.3.1.domain: 5+ AAAA? www.google.com. (32)
10:10:24.737965 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
最后但并非最不重要的一点是,我认为我的 iptable 看起来是正确的(来自 10.44.3.0/29 的所有流量都被接受并转发):
[root@vps50300 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1897K 320M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
229K 14M ACCEPT icmp -- any any anywhere anywhere
10957 820K ACCEPT all -- lo any anywhere anywhere
7128 421K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:http state NEW
7166 425K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:https state NEW
14457 819K ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:ssh state NEW
59 2636 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:ftp state NEW
0 0 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:45632 state NEW
0 0 ACCEPT tcp -- venet0 any anywhere anywhere tcp dpt:45633 state NEW
16 1120 ACCEPT udp -- venet0 any anywhere anywhere udp dpt:openvpn state NEW
47288 3095K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4062K 3220M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
43961 2562K ACCEPT all -- any any 10.44.3.0/29 anywhere
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3107K packets, 3306M bytes)
pkts bytes target prot opt in out source destination
但是自从我收到 ICMP 管理员禁止消息后,我似乎仍然违反了其中一条规则?
我不确定如何解决这个问题,任何建议将不胜感激。
没有允许 DNS 流量到您的主机的规则规则(只有当源和目标都不是这台机器时,数据包才会由 FORWARD 链处理。如果 DNS 服务在这些规则来自的服务器上运行,您必须查看 INPUT 链)。
尝试添加:
iptables -i tun0 -I INPUT 8 -p udp --dsport 53 -j ACCEPT
。