Dns

OpenWRT - 無法從 WAN-LAN 方向阻止 DNS 埠(53)

  • August 12, 2016

我有一個帶有 OpenWRT BarrierBreaker 的 TP-Link WDR4300 路由器(vargalex build ver. 1.1.7)。

由於我的 Raspberry ( SMB, PMA, Plex, etc) DDNS( duckdns.org),我使用它來訪問我的 LAN 之外的路由器(我嘗試在路由器上配置 VPN,但不知何故我找不到正確的配置)。我的服務正在使用這些埠:139, 445, 8080, 8081, 8877, 56565但不知何故53dnsmasq)埠是從那裡打開的WAN,我無法阻止它。

netstat輸出:

netstat -an

netstat -an

netstat -pln

netstat-pln

nslookup輸出:

> server <myremoteaddress>.duckdns.org
Default Server:  remoteconnection.duckdns.org
Address:  <myipaddress>

> google.com.
Server:  <myremoteaddress>.duckdns.org
Address:  <myipaddress>

Non-authoritative answer:
Name:    google.com
Addresses:  xxxx:yyyy:400d:zzzz::200e
         ***.***.72.20
         ***.***.72.34
         ***.***.72.45
         ***.***.72.24
         ***.***.72.49
         ***.***.72.44
         ***.***.72.39
         ***.***.72.25
         ***.***.72.30
         ***.***.72.54
         ***.***.72.40
         ***.***.72.29
         ***.***.72.50
         ***.***.72.59
         ***.***.72.55
         ***.***.72.35

我正在使用Google DNS8.8.8.8, 8.8.4.4)。

我試圖添加一些rule來阻止埠53,但沒有成功……

我已將規則添加到firewall配置(/etc/config/firewall)並連接到所需的埠:

config rule
   option src 'wan'
   option name 'block_port_53'
   option dest_port '53'
   option target 'REJECT'
   option proto 'all'

config rule
   option target 'ACCEPT'
   option proto 'tcp udp'
   option dest_port '53'
   option name 'Guest DNS'
   option src 'guest'
   option enabled '0'

config rule
   option src 'wan'
   option dest 'lan'
   option name 'restrict_dns_53_lan'
   option dest_port '53'
   option target 'REJECT'

config rule
   option src 'wan'
   option dest_port '53'
   option name 'restrict_dns_forward'
   option target 'REJECT'
   option proto 'tcp udp'
   option dest 'lan'

Guest DNS目前被禁用,它是為Guest WiFi(它是Guest DNS zone)。

我究竟做錯了什麼?

阻止埠的主要原因53是試圖重新綁定我的DNS. 我的路由器System Log充滿了這個:

Jul  4 20:12:53 dnsmasq[2524]: possible DNS-rebind attack detected: 9406151-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:53 dnsmasq[2524]: possible DNS-rebind attack detected: 9406163-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:53 dnsmasq[2524]: possible DNS-rebind attack detected: 9406153-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406166-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406154-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406157-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406156-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406148-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406149-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406155-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:54 dnsmasq[2524]: possible DNS-rebind attack detected: 9406160-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406164-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406158-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406150-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406161-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406147-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:55 dnsmasq[2524]: possible DNS-rebind attack detected: 9406152-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.myxns.cn
Jul  4 20:12:56 dnsmasq[2524]: possible DNS-rebind attack detected: 9406162-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:57 dnsmasq[2524]: possible DNS-rebind attack detected: 9406159-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:12:58 dnsmasq[2524]: possible DNS-rebind attack detected: 9406165-0-1896986649-4159633587.ns.113-17-184-25-ns.dns-spider.ffdns.net
Jul  4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376755-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul  4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376759-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul  4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376746-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.myxns.cn
Jul  4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376741-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.myxns.cn
Jul  4 20:15:24 dnsmasq[2524]: possible DNS-rebind attack detected: 4376750-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.myxns.cn
Jul  4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376756-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul  4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376752-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul  4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376760-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul  4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376754-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul  4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376758-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net
Jul  4 20:15:26 dnsmasq[2524]: possible DNS-rebind attack detected: 4376753-0-3084195388-824858262.ns.183-213-22-60-ns.dns-spider.ffdns.net

請幫我擺脫它們。

你試過option proto 'tcpudp'嗎?當您指定埠號時,文件及其在 iptables 中的工作方式都暗示這是必需的。 tcpudp實際上是預設值。所以你不想使用allor tcp udp(也不想udp,因為 DNS 可以在正常操作中使用這兩種協議)。

$$ openwrt $$如果指定了相關的 proto,則匹配指向給定目標埠或埠範圍的傳入流量。 $$ iptables $$如果指定了 `–protocol tcp’,則可以使用這些擴展。它提供以下選項: … –destination-port

引用自:https://unix.stackexchange.com/questions/303024

相關問答

Dns

為什麼 nslookup 對設置為私有地址的 DNS 記錄失敗?

  • October 13, 2020
檢視問答
Dns

如何從 LAN 內(跨多個子網)獲取指向本地託管 Web 伺服器的 Internet 域名的 DNS IP 解析?

  • June 11, 2018
檢視問答
Linux

配置 BIND 和 DNSMasq 在同一台機器上協同工作

  • March 28, 2017
檢視問答
Dns

強制在網路上使用特定的 DNS 提供商

  • April 11, 2012
檢視問答
Dns

如何為一個域分配多個固定IP地址?

  • March 28, 2022
檢視問答
Linux

當 resolv.conf 被覆蓋時,如何設置我的 DNS?

  • March 12, 2022
檢視問答