As Kevin has said, this is likely in the firewall config. Try adding (actually removing):
no fixup protocol dns and then probably also: access-list 120 permit tcp any host 211.148.192.133 eq domain access-list 120 permit tcp any host 211.148.192.134 eq domain access-list 120 permit tcp any host 211.148.192.135 eq domain access-list 120 permit tcp any host 211.148.192.136 eq domain access-list 120 permit tcp any host 211.148.192.137 eq domain On Fri, 2008-08-15 at 14:49 +0800, Ken Lai wrote: > Kevin Darcy 写道: > > BIND doesn't have an option for "blackhole recursive queries only", > > which is the behavior I'm seeing. So I think it's an external device > > that's blocking the queries. Check your firewall. > > > > > > - Kevin > > > > > I'm so sorry to bother you. I've checked the only one firewall's config, > and i couldn't find out the problem > here is the config of pix: > > Topway-pix# sh run > : Saved > : > PIX Version 6.3(4) > interface ethernet0 auto shutdown > interface ethernet1 auto shutdown > interface ethernet2 auto shutdown > interface ethernet3 auto shutdown > interface ethernet4 auto shutdown > interface ethernet5 auto shutdown > interface ethernet6 auto shutdown > interface ethernet7 auto shutdown > interface ethernet8 auto > interface ethernet9 auto > nameif ethernet0 intf0 security40 > nameif ethernet1 intf1 security60 > nameif ethernet2 intf2 security4 > nameif ethernet3 intf3 security6 > nameif ethernet4 intf4 security8 > nameif ethernet5 intf5 security10 > nameif ethernet6 intf6 security12 > nameif ethernet7 intf7 security14 > nameif ethernet8 outside security0 > nameif ethernet9 inside security100 > enable password S34192oE/KMKvE5a encrypted > passwd S34192oE/KMKvE5a encrypted > hostname Topway-pix > domain-name topway.cn > fixup protocol dns maximum-length 1024 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > no fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol tftp 69 > names > access-list 120 permit tcp any host 211.148.192.2 eq www > access-list 120 permit tcp any host 211.148.192.8 eq www > access-list 120 permit ip any host 211.148.192.9 > access-list 120 permit tcp any host 211.148.192.243 eq ssh > access-list 120 permit udp any host 211.148.192.133 eq domain > access-list 120 permit udp any host 211.148.192.134 eq domain > access-list 120 permit udp any host 211.148.192.135 eq domain > access-list 120 permit udp any host 211.148.192.136 eq domain > access-list 120 permit udp any host 211.148.192.137 eq domain > access-list 120 permit tcp any host 211.148.192.118 eq www > access-list 120 permit tcp any host 211.148.192.119 eq www > access-list 120 permit tcp any host 211.148.192.118 eq pop3 > access-list 120 permit tcp any host 211.148.192.119 eq pop3 > access-list 120 permit tcp any host 211.148.192.118 eq smtp > access-list 120 permit tcp any host 211.148.192.119 eq smtp > access-list 120 permit ip any host 211.148.192.39 > access-list 120 permit ip any host 211.148.192.225 > access-list 120 permit ip 203.88.32.0 255.255.224.0 host 211.148.192.33 > access-list 120 permit ip 211.148.192.0 255.255.224.0 host 211.148.192.33 > access-list 120 permit ip 219.232.160.0 255.255.224.0 host 211.148.192.33 > access-list 120 permit ip 219.234.96.0 255.255.224.0 host 211.148.192.33 > access-list 120 permit ip 222.248.0.0 255.255.0.0 host 211.148.192.33 > access-list 120 permit ip host 61.144.202.193 host 211.148.192.33 > access-list 120 permit ip host 61.129.112.122 host 211.148.192.33 > access-list 120 permit ip host 202.96.140.10 host 211.148.192.33 > access-list 120 permit ip host 202.101.42.16 host 211.148.192.33 > access-list 120 permit ip host 61.172.198.56 host 211.148.192.33 > access-list 120 permit ip host 61.151.251.175 host 211.148.192.33 > access-list 120 permit ip host 211.152.58.135 host 211.148.192.33 > access-list 120 permit ip host 202.109.72.59 host 211.148.192.33 > access-list 120 permit ip host 202.101.42.186 host 211.148.192.33 > access-list 120 permit ip host 218.83.158.119 host 211.148.192.33 > access-list 120 permit tcp any host 211.148.192.26 eq www > access-list 120 permit ip any host 211.148.192.253 > access-list 120 permit ip any host 211.148.192.242 > access-list 120 permit ip any host 211.148.192.243 > access-list 120 permit ip any host 211.148.192.244 > access-list 120 permit tcp any host 211.148.192.230 eq www > access-list 120 permit ip any host 211.148.192.35 > access-list 120 permit ip any host 211.148.192.241 > access-list 120 permit tcp any host 211.148.192.250 eq ssh > access-list 120 permit tcp any host 211.148.192.250 eq www > access-list 120 permit ip any host 211.148.192.248 > access-list 120 permit tcp any host 211.148.192.118 eq 2233 > access-list 120 permit tcp any host 211.148.192.2 eq ftp > access-list 120 permit tcp any host 211.148.192.6 > access-list 120 permit tcp any host 211.148.192.118 eq 3306 > access-list 120 permit ip any host 211.148.192.251 > access-list 120 permit ip any host 211.148.192.252 > access-list 120 permit ip any host 211.148.192.5 > access-list 120 permit ip any host 211.148.192.40 > access-list 120 permit ip any host 211.148.192.250 > access-list 120 permit ip any host 211.148.192.34 > access-list 120 permit ip any host 211.148.192.18 > access-list 120 permit ip host 218.80.198.65 host 211.148.192.33 > access-list 120 permit ip host 218.80.198.66 host 211.148.192.33 > access-list 120 permit ip 222.125.0.0 255.255.0.0 host 211.148.192.33 > access-list 120 permit ip any host 211.148.192.19 > access-list 120 permit udp any host 211.148.192.132 eq domain > access-list 120 permit ip host 211.148.195.244 211.148.192.0 255.255.255.0 > access-list 120 permit icmp any any > access-list 120 permit ip 192.168.222.0 255.255.255.0 211.148.192.0 > 255.255.255.0 > pager lines 24 > logging on > logging console errors > logging buffered warnings > mtu intf0 1500 > mtu intf1 1500 > mtu intf2 1500 > mtu intf3 1500 > mtu intf4 1500 > mtu intf5 1500 > mtu intf6 1500 > mtu intf7 1500 > mtu outside 1500 > mtu inside 1500 > no ip address intf0 > no ip address intf1 > no ip address intf2 > no ip address intf3 > no ip address intf4 > no ip address intf5 > no ip address intf6 > no ip address intf7 > ip address outside 10.0.254.50 255.255.255.252 > ip address inside 211.148.192.254 255.255.255.0 > ip audit info action alarm > ip audit attack action drop > no failover > failover timeout 0:00:00 > failover poll 15 > no failover ip address intf0 > no failover ip address intf1 > no failover ip address intf2 > no failover ip address intf3 > no failover ip address intf4 > no failover ip address intf5 > no failover ip address intf6 > no failover ip address intf7 > no failover ip address outside > no failover ip address inside > pdm history enable > arp timeout 14400 > static (inside,outside) 211.148.192.33 211.148.192.33 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.118 211.148.192.118 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.119 211.148.192.119 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.242 211.148.192.242 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.243 211.148.192.243 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.244 211.148.192.244 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.133 211.148.192.133 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.134 211.148.192.134 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.135 211.148.192.135 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.136 211.148.192.136 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.137 211.148.192.137 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.26 211.148.192.26 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.5 211.148.192.5 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.9 211.148.192.9 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.2 211.148.192.2 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.8 211.148.192.8 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.39 211.148.192.39 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.225 211.148.192.225 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.253 211.148.192.253 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.230 211.148.192.230 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.35 211.148.192.35 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.241 211.148.192.241 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.250 211.148.192.250 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.248 211.148.192.248 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.6 211.148.192.6 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.251 211.148.192.251 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.252 211.148.192.252 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.40 211.148.192.40 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.34 211.148.192.34 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.18 211.148.192.18 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.19 211.148.192.19 netmask > 255.255.255.255 0 0 > static (inside,outside) 211.148.192.132 211.148.192.132 netmask > 255.255.255.255 0 0 > access-group 120 in interface outside > route outside 0.0.0.0 0.0.0.0 10.0.254.49 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h225 > 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server TACACS+ max-failed-attempts 3 > aaa-server TACACS+ deadtime 10 > aaa-server RADIUS protocol radius > aaa-server RADIUS max-failed-attempts 3 > aaa-server RADIUS deadtime 10 > aaa-server LOCAL protocol local > snmp-server host inside 211.148.192.250 > no snmp-server location > no snmp-server contact > snmp-server community snmptopway > no snmp-server enable traps > floodguard enable > telnet 211.148.195.88 255.255.255.255 outside > telnet 211.148.195.244 255.255.255.255 outside > telnet 211.148.192.0 255.255.255.0 inside > telnet timeout 5 > ssh 211.148.195.244 255.255.255.255 outside > ssh timeout 5 > console timeout 0 > terminal width 80 > Cryptochecksum:9f06d82c08a600dd6bb8f8ed6b3f0be9 > : end > Topway-pix# > -- Jeff Reasoner HCCA 513 728-7902
