免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 6350 | 回复: 5
打印 上一主题 下一主题

[DNS] DNS与防火墙的问题 [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2007-10-24 07:32 |只看该作者 |倒序浏览
用CentOS5做了个动态的DNS(通过3322更新)
现在开启防火墙
DNS就没法对外服务了
但关闭防火墙一切正常

防火墙要如何设置才能让DNS对外正常工作呢?

防火墙已经添加正面的规则
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT

论坛徽章:
0
2 [报告]
发表于 2007-10-24 10:23 |只看该作者
原帖由 llw318 于 2007-10-24 07:32 发表
用CentOS5做了个动态的DNS(通过3322更新)
现在开启防火墙
DNS就没法对外服务了
但关闭防火墙一切正常

防火墙要如何设置才能让DNS对外正常工作呢?

防火墙已经添加正面的规则
-A RH-Firewall-1-INPU ...


From:
DNS and BIND, 5th Edition

11.3. DNS and Internet Firewalls

First:
The bad news, and what's important for our purposes, is that most proxy-based firewalls handle only TCP-based application protocols. DNS, of course, is largely UDP-based. This implies that if you run a proxy-based firewall, your internal hosts will likely not be able to communicate directly with nameservers on the Internet.


And:
A Gotcha with BIND 8 or 9 and Packet-Filtering Firewalls
BIND 4 nameservers always sent queries from port 53, the well-known port for DNS servers, to port 53. Resolvers, on the other hand, usually send queries from high-numbered ports (above 1023) to port 53. Though nameservers clearly have to send their queries to the DNS port on a remote host, there's no reason they have to send the queries from the DNS port. And, wouldn't you know it, BIND 8 and 9 nameservers don't send queries from port 53 by default. Instead, they send queries from high-numbered ports, the same as resolvers do.
This can cause problems with packet-filtering firewalls that are configured to allow nameserver-to-nameserver traffic but not resolver-to-nameserver traffic, because they typically expect nameserver-to-nameserver traffic to originate from port 53 and terminate at port 53.
There are two solutions to this problem:
Reconfigure the firewall to allow your nameserver to send and receive queries from ports other than 53 (assuming this doesn't compromise the security of the firewall by allowing packets from Internet hosts to high-numbered ports on internal nameservers).
Configure BIND to revert to its old behavior with the query-source substatement.
query-source takes as arguments an address specification and an optional port number. For example, the statement:

options { query-source address * port 53; };

tells BIND to use port 53 as the source port for queries sent from all local network interfaces. You can use a nonwildcard address specification to limit the addresses that BIND will send queries from. For example, on wormhole.movie.edu, the statement:

options { query-source address 192.249.249.1 port *; };

tells BIND to send all queries from the 192.249.249.1 address (i.e., not from 192.253.253.1) and to use a dynamic, high-numbered port.
The use of query-source with a wildcard address is broken in BIND 9 before 9.1.0, though you can tell an early BIND 9 nameserver to send all queries from a particular address's port 53.

[ 本帖最后由 baif 于 2007-10-24 10:24 编辑 ]

论坛徽章:
0
3 [报告]
发表于 2007-10-24 12:54 |只看该作者
英文勉强
是不是说要加入
options { query-source address * port 53; }
规则?
可是我已经有这条了
一样不行
只有关闭防火墙才能够成功呀

谁能讲得通俗易懂些?

论坛徽章:
0
4 [报告]
发表于 2007-10-24 13:10 |只看该作者
UDP53

论坛徽章:
0
5 [报告]
发表于 2007-10-24 17:05 |只看该作者
原帖由 llw318 于 2007-10-24 12:54 发表
英文勉强
是不是说要加入
options { query-source address * port 53; }
规则?
可是我已经有这条了
一样不行
只有关闭防火墙才能够成功呀

谁能讲得通俗易懂些?


First...

DNS, of course, is largely UDP-based.

论坛徽章:
0
6 [报告]
发表于 2007-10-24 18:43 |只看该作者
太感谢楼上2位兄弟了
呵呵……
E文次
就是痛苦
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP