Home / server / Questions / 630500
Accepted
Astaar
Asked: 2014-09-24 00:41:41 +0800 CST

DNS Lookups no longer working - administratively prohibited

  • 772

I'm running into a strange issue where my server now refuses to do DNS lookups (using bind). I use a CentOS box as an OpenVPN gateway and provide DNS service to the clients. For month everything was working fine and as intended, and today the DNS service doesn't work anymore. No change were made to the configuration...

This is the named.conf file:

options {
        # Hide bind version
        version "Not shown";
        # Listen only on localhost and VPN gateway IPv4
        listen-on port 53 { 127.0.0.1; 10.44.3.1; };
        listen-on-v6 port 53 { ::1; };

        # Forward requests to Google public DNS
        forwarders { 8.8.8.8; 8.8.4.4; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; crypto; };
        allow-recursion { localhost; crypto; };
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

acl crypto{
        10.44.3.0/29; // SSL VPN
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Note the ACL : the server must serve only clients from the 10.44.3.0/29 subnet (10.44.3.1-10.44.3.6 IP range, .1 being the gateway). Now when I get a client to establish a VPN tunnel, and then monitor the DNS resolution, I can tell it's being refused because of the ICMP error messages:

    [root@vps50300 ~]# tcpdump -i tun0 host 10.44.3.6
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
    10:10:16.735977 IP 10.44.3.6.61219 > 10.44.3.1.domain: 1+ PTR? 1.3.44.10.in-addr.arpa. (40)
    10:10:16.736038 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 76
    10:10:18.736269 IP 10.44.3.6.61220 > 10.44.3.1.domain: 2+ A? www.google.com. (32)
    10:10:18.736330 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
    10:10:20.737701 IP 10.44.3.6.61221 > 10.44.3.1.domain: 3+ AAAA? www.google.com. (32)
    10:10:20.737758 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
    10:10:22.738068 IP 10.44.3.6.61222 > 10.44.3.1.domain: 4+ A? www.google.com. (32)
    10:10:22.738154 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68
    10:10:24.737910 IP 10.44.3.6.61223 > 10.44.3.1.domain: 5+ AAAA? www.google.com. (32)
    10:10:24.737965 IP 10.44.3.1 > 10.44.3.6: ICMP host 10.44.3.1 unreachable - admin prohibited, length 68

Last but not least, I think my iptable looks correct (all traffic from 10.44.3.0/29 is accepted and forwarded):

[root@vps50300 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1897K  320M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
 229K   14M ACCEPT     icmp --  any    any     anywhere             anywhere            
10957  820K ACCEPT     all  --  lo     any     anywhere             anywhere            
 7128  421K ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:http state NEW 
 7166  425K ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:https state NEW 
14457  819K ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:ssh state NEW 
   59  2636 ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:ftp state NEW 
    0     0 ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:45632 state NEW 
    0     0 ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:45633 state NEW 
   16  1120 ACCEPT     udp  --  venet0 any     anywhere             anywhere            udp dpt:openvpn state NEW 
47288 3095K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
4062K 3220M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
43961 2562K ACCEPT     all  --  any    any     10.44.3.0/29         anywhere            
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 3107K packets, 3306M bytes)
 pkts bytes target     prot opt in     out     source               destination

But I still seem to hit one of the rule since I get the ICMP admin prohibited message?

I'm not sure how to fix this, any suggestion would be appreciated.

bind

1 Answers

  1. Best Answer

    There is no rule rule that would allow DNS traffic to your host (packet will be processed by FORWARD chain only if both source and destination are 'not this machine'. If DNS service is running on server from which these rules are coming from, you have to look at INPUT chain).

    Try adding: iptables -i tun0 -I INPUT 8 -p udp --dsport 53 -j ACCEPT.

    • 0