trace ok but cannot get answer
Ken Lai
soulhacker511 at gmail.com
Fri Aug 15 06:49:01 UTC 2008
Kevin Darcy 写道:
> BIND doesn't have an option for "blackhole recursive queries only",
> which is the behavior I'm seeing. So I think it's an external device
> that's blocking the queries. Check your firewall.
>
>
> - Kevin
>
>
I'm so sorry to bother you. I've checked the only one firewall's config,
and i couldn't find out the problem
here is the config of pix:
Topway-pix# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 auto shutdown
interface ethernet8 auto
interface ethernet9 auto
nameif ethernet0 intf0 security40
nameif ethernet1 intf1 security60
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
nameif ethernet6 intf6 security12
nameif ethernet7 intf7 security14
nameif ethernet8 outside security0
nameif ethernet9 inside security100
enable password S34192oE/KMKvE5a encrypted
passwd S34192oE/KMKvE5a encrypted
hostname Topway-pix
domain-name topway.cn
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 120 permit tcp any host 211.148.192.2 eq www
access-list 120 permit tcp any host 211.148.192.8 eq www
access-list 120 permit ip any host 211.148.192.9
access-list 120 permit tcp any host 211.148.192.243 eq ssh
access-list 120 permit udp any host 211.148.192.133 eq domain
access-list 120 permit udp any host 211.148.192.134 eq domain
access-list 120 permit udp any host 211.148.192.135 eq domain
access-list 120 permit udp any host 211.148.192.136 eq domain
access-list 120 permit udp any host 211.148.192.137 eq domain
access-list 120 permit tcp any host 211.148.192.118 eq www
access-list 120 permit tcp any host 211.148.192.119 eq www
access-list 120 permit tcp any host 211.148.192.118 eq pop3
access-list 120 permit tcp any host 211.148.192.119 eq pop3
access-list 120 permit tcp any host 211.148.192.118 eq smtp
access-list 120 permit tcp any host 211.148.192.119 eq smtp
access-list 120 permit ip any host 211.148.192.39
access-list 120 permit ip any host 211.148.192.225
access-list 120 permit ip 203.88.32.0 255.255.224.0 host 211.148.192.33
access-list 120 permit ip 211.148.192.0 255.255.224.0 host 211.148.192.33
access-list 120 permit ip 219.232.160.0 255.255.224.0 host 211.148.192.33
access-list 120 permit ip 219.234.96.0 255.255.224.0 host 211.148.192.33
access-list 120 permit ip 222.248.0.0 255.255.0.0 host 211.148.192.33
access-list 120 permit ip host 61.144.202.193 host 211.148.192.33
access-list 120 permit ip host 61.129.112.122 host 211.148.192.33
access-list 120 permit ip host 202.96.140.10 host 211.148.192.33
access-list 120 permit ip host 202.101.42.16 host 211.148.192.33
access-list 120 permit ip host 61.172.198.56 host 211.148.192.33
access-list 120 permit ip host 61.151.251.175 host 211.148.192.33
access-list 120 permit ip host 211.152.58.135 host 211.148.192.33
access-list 120 permit ip host 202.109.72.59 host 211.148.192.33
access-list 120 permit ip host 202.101.42.186 host 211.148.192.33
access-list 120 permit ip host 218.83.158.119 host 211.148.192.33
access-list 120 permit tcp any host 211.148.192.26 eq www
access-list 120 permit ip any host 211.148.192.253
access-list 120 permit ip any host 211.148.192.242
access-list 120 permit ip any host 211.148.192.243
access-list 120 permit ip any host 211.148.192.244
access-list 120 permit tcp any host 211.148.192.230 eq www
access-list 120 permit ip any host 211.148.192.35
access-list 120 permit ip any host 211.148.192.241
access-list 120 permit tcp any host 211.148.192.250 eq ssh
access-list 120 permit tcp any host 211.148.192.250 eq www
access-list 120 permit ip any host 211.148.192.248
access-list 120 permit tcp any host 211.148.192.118 eq 2233
access-list 120 permit tcp any host 211.148.192.2 eq ftp
access-list 120 permit tcp any host 211.148.192.6
access-list 120 permit tcp any host 211.148.192.118 eq 3306
access-list 120 permit ip any host 211.148.192.251
access-list 120 permit ip any host 211.148.192.252
access-list 120 permit ip any host 211.148.192.5
access-list 120 permit ip any host 211.148.192.40
access-list 120 permit ip any host 211.148.192.250
access-list 120 permit ip any host 211.148.192.34
access-list 120 permit ip any host 211.148.192.18
access-list 120 permit ip host 218.80.198.65 host 211.148.192.33
access-list 120 permit ip host 218.80.198.66 host 211.148.192.33
access-list 120 permit ip 222.125.0.0 255.255.0.0 host 211.148.192.33
access-list 120 permit ip any host 211.148.192.19
access-list 120 permit udp any host 211.148.192.132 eq domain
access-list 120 permit ip host 211.148.195.244 211.148.192.0 255.255.255.0
access-list 120 permit icmp any any
access-list 120 permit ip 192.168.222.0 255.255.255.0 211.148.192.0
255.255.255.0
pager lines 24
logging on
logging console errors
logging buffered warnings
mtu intf0 1500
mtu intf1 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu intf7 1500
mtu outside 1500
mtu inside 1500
no ip address intf0
no ip address intf1
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
no ip address intf6
no ip address intf7
ip address outside 10.0.254.50 255.255.255.252
ip address inside 211.148.192.254 255.255.255.0
ip audit info action alarm
ip audit attack action drop
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address intf0
no failover ip address intf1
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
no failover ip address intf6
no failover ip address intf7
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
static (inside,outside) 211.148.192.33 211.148.192.33 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.118 211.148.192.118 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.119 211.148.192.119 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.242 211.148.192.242 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.243 211.148.192.243 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.244 211.148.192.244 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.133 211.148.192.133 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.134 211.148.192.134 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.135 211.148.192.135 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.136 211.148.192.136 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.137 211.148.192.137 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.26 211.148.192.26 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.5 211.148.192.5 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.9 211.148.192.9 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.2 211.148.192.2 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.8 211.148.192.8 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.39 211.148.192.39 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.225 211.148.192.225 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.253 211.148.192.253 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.230 211.148.192.230 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.35 211.148.192.35 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.241 211.148.192.241 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.250 211.148.192.250 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.248 211.148.192.248 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.6 211.148.192.6 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.251 211.148.192.251 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.252 211.148.192.252 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.40 211.148.192.40 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.34 211.148.192.34 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.18 211.148.192.18 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.19 211.148.192.19 netmask
255.255.255.255 0 0
static (inside,outside) 211.148.192.132 211.148.192.132 netmask
255.255.255.255 0 0
access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.254.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 211.148.192.250
no snmp-server location
no snmp-server contact
snmp-server community snmptopway
no snmp-server enable traps
floodguard enable
telnet 211.148.195.88 255.255.255.255 outside
telnet 211.148.195.244 255.255.255.255 outside
telnet 211.148.192.0 255.255.255.0 inside
telnet timeout 5
ssh 211.148.195.244 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9f06d82c08a600dd6bb8f8ed6b3f0be9
: end
Topway-pix#
More information about the bind-users
mailing list