dnsmasq的Rebind protection导致的域名解析问题

路由器配置如下：

root@liangbo:~# uci show network.wan
network.wan=interface
network.wan.ifname=eth0
network.wan.proto=dhcp   <=============WAN 自动获取配置信息

root@liangbo:~# uci show network.lan
network.lan=interface
network.lan.ifname=eth1
network.lan.force_link=1
network.lan.type=bridge
network.lan.proto=static
network.lan.ipaddr=192.168.1.1
network.lan.netmask=255.255.255.0
network.lan.ip6assign=60

root@liangbo:~# ifconfig eth0   <=====WAN口成功获得地址
eth0      Link encap:Ethernet  HWaddr 00:1B:C5:09:A6:F3
          inet addr:10.100.20.71  Bcast:10.100.20.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:c5ff:fe09:a6f3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55112 errors:0 dropped:297 overruns:0 frame:0
          TX packets:32181 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18004058 (17.1 MiB)  TX bytes:6529135 (6.2 MiB)

root@liangbo:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto   <==== 使用该文件解析域名.
dhcp.@dnsmasq[0].domainneeded=1
...

root@liangbo:~# cat /tmp/resolv.conf.auto                 <==== DHCP分配的DNS服务器
# Interface wan
nameserver 172.16.172.82
nameserver 172.16.172.83
search jiguan.hnecgc.com.cn

试图解析 oa.hnccgc.com 失败

root@liangbo:~# nslookup oa.hnccgc.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost
nslookup: can't resolve 'oa.hnccgc.com': Name or service not known    <=== failed

试图使用172.16.172.82 解析 oa.hnccgc.com 成功
root@liangbo:~# nslookup oa.hnccgc.com 172.16.172.82
Server:    172.16.172.82
Address 1: 172.16.172.82 bogon
Name:      oa.hnccgc.com
Address 1: 172.16.172.101 bogon   <===== successed

原因：

dnsmasq 开启了rebind protection，也就是反域名劫持保护。由于上级dns返回的地址是个私有局域网地址，所以被看作是一次域名劫持，从而丢弃了解析的结果。

解决方法：
关闭掉rebind protection就好了，具体方法是：Network==〉DHCP and DNS ==> Server settings ==> General Settings , 勾选掉 Rebind protection.