- 论坛徽章:
- 0
|
原帖由 llw318 于 2007-10-24 07:32 发表 ![]()
用CentOS5做了个动态的DNS(通过3322更新)
现在开启防火墙
DNS就没法对外服务了
但关闭防火墙一切正常
防火墙要如何设置才能让DNS对外正常工作呢?
防火墙已经添加正面的规则
-A RH-Firewall-1-INPU ...
From:
DNS and BIND, 5th Edition
11.3. DNS and Internet Firewalls
First:
The bad news, and what's important for our purposes, is that most proxy-based firewalls handle only TCP-based application protocols. DNS, of course, is largely UDP-based. This implies that if you run a proxy-based firewall, your internal hosts will likely not be able to communicate directly with nameservers on the Internet.
And:
A Gotcha with BIND 8 or 9 and Packet-Filtering Firewalls
BIND 4 nameservers always sent queries from port 53, the well-known port for DNS servers, to port 53. Resolvers, on the other hand, usually send queries from high-numbered ports (above 1023) to port 53. Though nameservers clearly have to send their queries to the DNS port on a remote host, there's no reason they have to send the queries from the DNS port. And, wouldn't you know it, BIND 8 and 9 nameservers don't send queries from port 53 by default. Instead, they send queries from high-numbered ports, the same as resolvers do.
This can cause problems with packet-filtering firewalls that are configured to allow nameserver-to-nameserver traffic but not resolver-to-nameserver traffic, because they typically expect nameserver-to-nameserver traffic to originate from port 53 and terminate at port 53.
There are two solutions to this problem:
Reconfigure the firewall to allow your nameserver to send and receive queries from ports other than 53 (assuming this doesn't compromise the security of the firewall by allowing packets from Internet hosts to high-numbered ports on internal nameservers).
Configure BIND to revert to its old behavior with the query-source substatement.
query-source takes as arguments an address specification and an optional port number. For example, the statement:
options { query-source address * port 53; };
tells BIND to use port 53 as the source port for queries sent from all local network interfaces. You can use a nonwildcard address specification to limit the addresses that BIND will send queries from. For example, on wormhole.movie.edu, the statement:
options { query-source address 192.249.249.1 port *; };
tells BIND to send all queries from the 192.249.249.1 address (i.e., not from 192.253.253.1) and to use a dynamic, high-numbered port.
The use of query-source with a wildcard address is broken in BIND 9 before 9.1.0, though you can tell an early BIND 9 nameserver to send all queries from a particular address's port 53.
[ 本帖最后由 baif 于 2007-10-24 10:24 编辑 ] |
|