trace ok but cannot get answer

Jeff Reasoner jeff.reasoner at mail.hccanet.org
Fri Aug 15 12:36:00 UTC 2008 

As Kevin has said, this is likely in the firewall config.
Try adding (actually removing):

no fixup protocol dns

and then probably also:

access-list 120 permit tcp any host 211.148.192.133 eq domain
access-list 120 permit tcp any host 211.148.192.134 eq domain
access-list 120 permit tcp any host 211.148.192.135 eq domain
access-list 120 permit tcp any host 211.148.192.136 eq domain
access-list 120 permit tcp any host 211.148.192.137 eq domain

On Fri, 2008-08-15 at 14:49 +0800, Ken Lai wrote:
> Kevin Darcy 写道:
> > BIND doesn't have an option for "blackhole recursive queries only",
> > which is the behavior I'm seeing. So I think it's an external device
> > that's blocking the queries. Check your firewall.
> >
> >
> > - Kevin
> >
> >   
> I'm so sorry to bother you. I've checked the only one firewall's config,
> and i couldn't find out the problem
> here is the config of pix:
> 
> Topway-pix# sh run
> : Saved
> :
> PIX Version 6.3(4)
> interface ethernet0 auto shutdown
> interface ethernet1 auto shutdown
> interface ethernet2 auto shutdown
> interface ethernet3 auto shutdown
> interface ethernet4 auto shutdown
> interface ethernet5 auto shutdown
> interface ethernet6 auto shutdown
> interface ethernet7 auto shutdown
> interface ethernet8 auto
> interface ethernet9 auto
> nameif ethernet0 intf0 security40
> nameif ethernet1 intf1 security60
> nameif ethernet2 intf2 security4
> nameif ethernet3 intf3 security6
> nameif ethernet4 intf4 security8
> nameif ethernet5 intf5 security10
> nameif ethernet6 intf6 security12
> nameif ethernet7 intf7 security14
> nameif ethernet8 outside security0
> nameif ethernet9 inside security100
> enable password S34192oE/KMKvE5a encrypted
> passwd S34192oE/KMKvE5a encrypted
> hostname Topway-pix
> domain-name topway.cn
> fixup protocol dns maximum-length 1024
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> no fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list 120 permit tcp any host 211.148.192.2 eq www
> access-list 120 permit tcp any host 211.148.192.8 eq www
> access-list 120 permit ip any host 211.148.192.9
> access-list 120 permit tcp any host 211.148.192.243 eq ssh
> access-list 120 permit udp any host 211.148.192.133 eq domain
> access-list 120 permit udp any host 211.148.192.134 eq domain
> access-list 120 permit udp any host 211.148.192.135 eq domain
> access-list 120 permit udp any host 211.148.192.136 eq domain
> access-list 120 permit udp any host 211.148.192.137 eq domain
> access-list 120 permit tcp any host 211.148.192.118 eq www
> access-list 120 permit tcp any host 211.148.192.119 eq www
> access-list 120 permit tcp any host 211.148.192.118 eq pop3
> access-list 120 permit tcp any host 211.148.192.119 eq pop3
> access-list 120 permit tcp any host 211.148.192.118 eq smtp
> access-list 120 permit tcp any host 211.148.192.119 eq smtp
> access-list 120 permit ip any host 211.148.192.39
> access-list 120 permit ip any host 211.148.192.225
> access-list 120 permit ip 203.88.32.0 255.255.224.0 host 211.148.192.33
> access-list 120 permit ip 211.148.192.0 255.255.224.0 host 211.148.192.33
> access-list 120 permit ip 219.232.160.0 255.255.224.0 host 211.148.192.33
> access-list 120 permit ip 219.234.96.0 255.255.224.0 host 211.148.192.33
> access-list 120 permit ip 222.248.0.0 255.255.0.0 host 211.148.192.33
> access-list 120 permit ip host 61.144.202.193 host 211.148.192.33
> access-list 120 permit ip host 61.129.112.122 host 211.148.192.33
> access-list 120 permit ip host 202.96.140.10 host 211.148.192.33
> access-list 120 permit ip host 202.101.42.16 host 211.148.192.33
> access-list 120 permit ip host 61.172.198.56 host 211.148.192.33
> access-list 120 permit ip host 61.151.251.175 host 211.148.192.33
> access-list 120 permit ip host 211.152.58.135 host 211.148.192.33
> access-list 120 permit ip host 202.109.72.59 host 211.148.192.33
> access-list 120 permit ip host 202.101.42.186 host 211.148.192.33
> access-list 120 permit ip host 218.83.158.119 host 211.148.192.33
> access-list 120 permit tcp any host 211.148.192.26 eq www
> access-list 120 permit ip any host 211.148.192.253
> access-list 120 permit ip any host 211.148.192.242
> access-list 120 permit ip any host 211.148.192.243
> access-list 120 permit ip any host 211.148.192.244
> access-list 120 permit tcp any host 211.148.192.230 eq www
> access-list 120 permit ip any host 211.148.192.35
> access-list 120 permit ip any host 211.148.192.241
> access-list 120 permit tcp any host 211.148.192.250 eq ssh
> access-list 120 permit tcp any host 211.148.192.250 eq www
> access-list 120 permit ip any host 211.148.192.248
> access-list 120 permit tcp any host 211.148.192.118 eq 2233
> access-list 120 permit tcp any host 211.148.192.2 eq ftp
> access-list 120 permit tcp any host 211.148.192.6
> access-list 120 permit tcp any host 211.148.192.118 eq 3306
> access-list 120 permit ip any host 211.148.192.251
> access-list 120 permit ip any host 211.148.192.252
> access-list 120 permit ip any host 211.148.192.5
> access-list 120 permit ip any host 211.148.192.40
> access-list 120 permit ip any host 211.148.192.250
> access-list 120 permit ip any host 211.148.192.34
> access-list 120 permit ip any host 211.148.192.18
> access-list 120 permit ip host 218.80.198.65 host 211.148.192.33
> access-list 120 permit ip host 218.80.198.66 host 211.148.192.33
> access-list 120 permit ip 222.125.0.0 255.255.0.0 host 211.148.192.33
> access-list 120 permit ip any host 211.148.192.19
> access-list 120 permit udp any host 211.148.192.132 eq domain
> access-list 120 permit ip host 211.148.195.244 211.148.192.0 255.255.255.0
> access-list 120 permit icmp any any
> access-list 120 permit ip 192.168.222.0 255.255.255.0 211.148.192.0
> 255.255.255.0
> pager lines 24
> logging on
> logging console errors
> logging buffered warnings
> mtu intf0 1500
> mtu intf1 1500
> mtu intf2 1500
> mtu intf3 1500
> mtu intf4 1500
> mtu intf5 1500
> mtu intf6 1500
> mtu intf7 1500
> mtu outside 1500
> mtu inside 1500
> no ip address intf0
> no ip address intf1
> no ip address intf2
> no ip address intf3
> no ip address intf4
> no ip address intf5
> no ip address intf6
> no ip address intf7
> ip address outside 10.0.254.50 255.255.255.252
> ip address inside 211.148.192.254 255.255.255.0
> ip audit info action alarm
> ip audit attack action drop
> no failover
> failover timeout 0:00:00
> failover poll 15
> no failover ip address intf0
> no failover ip address intf1
> no failover ip address intf2
> no failover ip address intf3
> no failover ip address intf4
> no failover ip address intf5
> no failover ip address intf6
> no failover ip address intf7
> no failover ip address outside
> no failover ip address inside
> pdm history enable
> arp timeout 14400
> static (inside,outside) 211.148.192.33 211.148.192.33 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.118 211.148.192.118 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.119 211.148.192.119 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.242 211.148.192.242 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.243 211.148.192.243 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.244 211.148.192.244 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.133 211.148.192.133 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.134 211.148.192.134 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.135 211.148.192.135 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.136 211.148.192.136 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.137 211.148.192.137 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.26 211.148.192.26 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.5 211.148.192.5 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.9 211.148.192.9 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.2 211.148.192.2 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.8 211.148.192.8 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.39 211.148.192.39 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.225 211.148.192.225 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.253 211.148.192.253 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.230 211.148.192.230 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.35 211.148.192.35 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.241 211.148.192.241 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.250 211.148.192.250 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.248 211.148.192.248 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.6 211.148.192.6 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.251 211.148.192.251 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.252 211.148.192.252 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.40 211.148.192.40 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.34 211.148.192.34 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.18 211.148.192.18 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.19 211.148.192.19 netmask
> 255.255.255.255 0 0
> static (inside,outside) 211.148.192.132 211.148.192.132 netmask
> 255.255.255.255 0 0
> access-group 120 in interface outside
> route outside 0.0.0.0 0.0.0.0 10.0.254.49 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> snmp-server host inside 211.148.192.250
> no snmp-server location
> no snmp-server contact
> snmp-server community snmptopway
> no snmp-server enable traps
> floodguard enable
> telnet 211.148.195.88 255.255.255.255 outside
> telnet 211.148.195.244 255.255.255.255 outside
> telnet 211.148.192.0 255.255.255.0 inside
> telnet timeout 5
> ssh 211.148.195.244 255.255.255.255 outside
> ssh timeout 5
> console timeout 0
> terminal width 80
> Cryptochecksum:9f06d82c08a600dd6bb8f8ed6b3f0be9
> : end
> Topway-pix#
> 
-- 
Jeff Reasoner
HCCA
513 728-7902

More information about the bind-users mailing list