- dnsmasq:轻量且占用空间小,适用于资源受限的路由器和防火墙,可以将 dnsmasq 配置为 DNS 缓存查询
- bind:最为成熟的DNS Server,代表了DNS的标准;但扩展性一般
- PowerDNS:有成熟的管理控制系统
- CoreDNS:前身是SkyDNS,每个特性都可以被实现为可插拔的中间件
分别进行aws dns,bind,power和core dns的分析
aws vpc dns
ec2实例在启动时会通过DHCP请求dns地址,将响应返回写入到本地 /etc/resolv.conf 。使用dhcp选项集能控制vpc中实例的dns server,domain name,ntr server
创建vpc时,r53会使用vpc上的resolver响应ec2实例的本地vpc dns查询。对于所有其他域名,Resolver 对公共名称服务器执行递归查找。默认创建的r53 reslover会映射到.2地址。(这块不是很理解,之后再补充)
为了减少 CPU 和网络使用量并避免 DNS 解析失败的问题可以通过搭建dnsmasq
使用dns缓存
$ sudo yum install -y dnsmasq
$ sudo groupadd -r dnsmasq
$ sudo useradd -r -g dnsmasq dnsmasq
$ sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
$ sudo vim /etc/dnsmasq.conf
# Server Configuration
listen-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid
# Name resolution options
resolv-file=/etc/resolv.dnsmasq
cache-size=500
neg-ttl=60
domain-needed
bogus-priv
#将aws dns服务器地址写入dnsmasq配置中
sudo bash -c "echo 'nameserver 169.254.169.253' > /etc/resolv.dnsmasq"
# start dnsmasq
$ sudo systemctl restart dnsmasq.service
$ sudo systemctl enable dnsmasq.service
$ systemctl status dnsmasq
● dnsmasq.service - DNS caching server.
Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-11-22 13:54:38 UTC; 2s ago
Main PID: 4668 (dnsmasq)
CGroup: /system.slice/dnsmasq.service
└─4668 /usr/sbin/dnsmasq -k
Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal systemd[1]: Started DNS caching server..
Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: listening on lo(#1): 127.0.0.1
Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: listening on lo(#1): ::1
Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: started, version 2.76 cachesize 500
Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no...notify
Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: reading /etc/resolv.dnsmasq
Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: using nameserver 169.254.169.253#53
Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: read /etc/hosts - 2 addresses
此时dnsmasq已经成为169.254.169.253
的缓存dns server,之后必须通过更改或创建 /etc/dhcp/dhclient.conf 文件来禁止 DHCP 提供的默认 DNS 解析程序
抓包查看具体的过程
$ sudo tcpdump -nt -s 500 -i eth0 port domain
$ dig www.baidu.com @127.0.0.1
IP 172.31.27.105.30600 > 169.254.169.253.domain: 19883+ [1au] A? www.baidu.com. (42)
IP 169.254.169.253.domain > 172.31.27.105.30600: 19883 3/0/1 CNAME www.a.shifen.com., A 39.156.66.14, A 39.156.66.18 (104)
bind
bind相关的软件包
- bind :dns server
- bind-libs :提供bind和bind-utils包中的程序共同用到的库文件
- bind-utils :bind客户端工具包
- bind-chroot :类似chroot将dns服务限制在某个范围之类.
安装bind
rndc(remote name domain controller)
默认与bind安装在同一主机,且只能通过127.0.0.1来连接named进程;提供辅助性的管理功能;监听端口:953/tcp
$ yum install -y bind
$ rpm -ql bind
$ ls /var/named
data dynamic named.ca named.empty named.localhost named.loopback slaves
#named.ca 默认全球DNS根服务器地址
#named.localhost 本地回环文件
#named.loopback
#启动服务
$ systemctl start named
$ ss -luntp | grep ':53'
bind相关配置
- 主配置文件:
/etc/named.conf
- 区域配置配置文件:
/etc/rfc1912.zones
,即本机能够为哪些zone进行解析,例如:zone "ZONE_NAME" IN {}
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
options {
listen-on port 53 { any; }; // 默认监听localhost
listen-on-v6 port 53 { ::1; }; // ipv6的支持
directory "/var/named"; // 正反解区域解析库文件默认存放目录
dump-file "/var/named/data/cache_dump.db"; // dump cach的目录directory
statistics-file "/var/named/data/named_stats.txt"; // named服务统计信息的文件名
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //允许查询请求地址默认为localhost
recursion yes; //允许递归查询
forward only; //定义只转发
forwarders { 169.254.169.253; };
dnssec-enable no; // 关闭densec
dnssec-validation no;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging { // 服务器日志信息源
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
在/etc/named.rfc1912.zones
中创建新域,域配置文件位于/var/named
下
zone "test.com" IN {
type master;
file "test.com.zone";
}
# cat /var/named/test.com.zone
$TTL 1D
$ORIGIN test.com.
@ IN SOA ns1.test.com. admin.test.com (
2019112201
1H
5M
7D
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 10.10.1.1
ns2 IN A 10.10.1.2
mx1 IN A 10.10.1.3
mx2 IN A 10.10.1.4
www IN A 10.10.1.5
www IN A 10.10.1.6
ftp IN CNAME www
启动named之前进行语法检查
$ named-checkconf
$ named-checkzone "itcom.com" /var/named/itcom.com.zone
$ systemctl start named
测试应答,可见dns server已经能够成功解析test.com
中的dns查询
# dig -t A "www.test.com" @127.0.0.1
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> -t A www.test.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64445
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 10.10.1.6
www.test.com. 86400 IN A 10.10.1.5
;; AUTHORITY SECTION:
test.com. 86400 IN NS ns1.test.com.
test.com. 86400 IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 86400 IN A 10.10.1.1
ns2.test.com. 86400 IN A 10.10.1.2
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 22 04:27:05 UTC 2022
;; MSG SIZE rcvd: 141
从另一台实例上查询,能够顺利解析
$ dig -t A "www.test.com" @172.31.27.105 #指定dns server的ip地址
通过在dns server上抓包可以看到具体的网络通信,dns server为172.31.27.105
$ sudo tcpdump -nt -s 500 -i eth0 port domain
IP 172.31.18.4.50050 > 172.31.27.105.domain: 57073+ [1au] A? ip-172-31-18-4.cn-north-1.compute.internal. (71)
IP 172.31.27.105.50716 > 172.31.0.2.domain: 52899+% [1au] A? ip-172-31-18-4.cn-north-1.compute.internal. (71)
IP 172.31.0.2.domain > 172.31.27.105.50716: 52899 1/0/1 A 172.31.18.4 (87)
IP 172.31.27.105.domain > 172.31.18.4.50050: 57073 1/0/1 A 172.31.18.4 (87)
IP 172.31.18.4.41047 > 172.31.27.105.domain: 43128+ [1au] A? www.baidu.com. (42)
IP 172.31.27.105.36343 > 172.31.0.2.domain: 53796+% [1au] A? www.baidu.com. (42)
IP 172.31.0.2.domain > 172.31.27.105.36343: 53796 3/0/1 CNAME www.a.shifen.com., A 39.156.66.18, A 39.156.66.14 (101)
IP 172.31.27.105.36182 > 172.31.0.2.domain: 40595+% [1au] A? www.a.shifen.com. (45)
IP 172.31.0.2.domain > 172.31.27.105.36182: 40595 2/0/1 A 39.156.66.18, A 39.156.66.14 (77)
IP 172.31.27.105.domain > 172.31.18.4.41047: 43128 3/0/1 CNAME www.a.shifen.com., A 39.156.66.14, A 39.156.66.18 (101)
如果没有配置转发规则,会从named.ca(根dns)中获取非test.com域的解析结果,因此无法解析vpc内网的dns地址。如果解析实例的私有ip会出现错误,这是因为没有配置到vpc的.2地址的转发请求。奇怪的是将.2(169.254.169.253的映射)配置为naemd.ca中的ns是无效的
可以在named.conf配置转发到.2地址解决
- forward first设置优先使用forwarders DNS服务器做域名解析,如果查询不到再使用本地DNS服务器做域名解析。
- forward only设置只使用forwarders DNS服务器做域名解析,如果查询不到则返回DNS客户端查询失败。
forward only; //定义只转发
forwarders { 169.254.169.253; };
如果配置了first
,则会优先从转发服务器上获取dns解析。下面的结果表明是172.31.0.2
优先响应了正确的ip地址,如果不配置转发最终会是根198.41.0.4
响应地址
$ sudo tcpdump -nt -s 500 -i eth0 port domain
IP 172.31.18.4.46867 > 172.31.27.105.domain: 26565+ [1au] A? www.baidu.com. (42)
IP 172.31.27.105.55702 > 172.31.0.2.domain: 33131+% [1au] A? www.baidu.com. (42)
IP 172.31.27.105.49161 > 198.41.0.4.domain: 45400 [1au] NS? . (28)
IP 172.31.0.2.domain > 172.31.27.105.55702: 33131 3/0/1 CNAME www.a.shifen.com., A 39.156.66.18, A 39.156.66.14 (101)
IP 172.31.27.105.51462 > 172.31.0.2.domain: 13784+% [1au] A? www.a.shifen.com. (45)
IP 172.31.0.2.domain > 172.31.27.105.51462: 13784 2/0/1 A 39.156.66.18, A 39.156.66.14 (77)
IP 172.31.27.105.domain > 172.31.18.4.46867: 26565 3/0/1 CNAME www.a.shifen.com., A 39.156.66.18, A 39.156.66.14 (101)
IP 198.41.0.4.domain > 172.31.27.105.49161: 45400*-| 13/0/13 NS e.root-servers.net., NS h.root-servers.net., NS l.root-servers.net., NS i.root-servers.net., NS a.root-servers.net., NS d.root-servers.net., NS c.root-servers.net., NS b.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS g.root-servers.net., NS m.root-servers.net., NS f.root-servers.net. (503)
IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [S], seq 3619155804, win 62727, options [mss 8961,sackOK,TS val 1091688856 ecr 0,nop,wscale 7], length 0
IP 198.41.0.4.domain > 172.31.27.105.39317: Flags [S.], seq 441198152, ack 3619155805, win 1400, options [mss 1400,nop,nop,TS val 584105086 ecr 1091688856], length 0
IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [.], ack 1, win 62727, options [nop,nop,TS val 1091689007 ecr 584105086], length 0
IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [P.], seq 1:31, ack 1, win 62727, options [nop,nop,TS val 1091689007 ecr 584105086], length 307060 [1au] NS? . (28)
IP 198.41.0.4.domain > 172.31.27.105.39317: Flags [P.], seq 1:1100, ack 31, win 1400, options [nop,nop,TS val 584105236 ecr 1091689007], length 10997060*- 14/0/27 NS e.root-servers.net., NS h.root-servers.net., NS l.root-servers.net., NS i.root-servers.net., NS a.root-servers.net., NS d.root-servers.net., NS c.root-servers.net., NS b.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS g.root-servers.net., NS m.root-servers.net., NS f.root-servers.net., RRSIG[|domain]
IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [.], ack 1100, win 61628, options [nop,nop,TS val 1091689157 ecr 584105236], length 0
IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [F.], seq 31, ack 1100, win 61628, options [nop,nop,TS val 1091689158 ecr 584105236], length 0
IP 198.41.0.4.domain > 172.31.27.105.39317: Flags [F.], seq 1100, ack 32, win 1400, options [nop,nop,TS val 584105387 ecr 1091689158], length 0
IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [.], ack 1101, win 61627, options [nop,nop,TS val 1091689308 ecr 584105387], length 0
实际上配置转发规则为only之后实际上只会使用转发服务器做解析,因此所有的dns解析都是.2地址完成的。但是解析内网的实例dns仍然出现无法响应的问题。抓包的结果如下,可见169.254.169.253实际上已经拿到了ip地址,但是最终还是报错ServFail
$ sudo tcpdump -nt -s 500 -i eth0 port domain
IP 172.31.18.4.46526 > 172.31.27.105.domain: 7768+ [1au] A? www.baidu.com. (42)
IP 172.31.27.105.32891 > 169.254.169.253.domain: 9791+% [1au] A? www.baidu.com. (42)
IP 169.254.169.253.domain > 172.31.27.105.32891: 9791 3/0/1 CNAME www.a.shifen.com., A 39.156.66.18, A 39.156.66.14 (101)
IP 172.31.27.105.43867 > 169.254.169.253.domain: 38968+% [1au] DS? com. (32)
IP 169.254.169.253.domain > 172.31.27.105.43867: 38968 1/0/1 DS (80)
IP 172.31.27.105.domain > 172.31.18.4.46526: 7768 ServFail 0/0/1 (42)
dns解析的报错逻辑如下图所示
最终发现是由于开启了dnssec
,关闭后问题得到解决
dnssec-enable no; // 关闭densec
dnssec-validation no;
powerdns
powerdns是一个内置脚本能力的高性能的DNS递归查询服务器。powerdns将查询功能分为PowerDNS Authoritative Server
和PowerDNS Recursor
,分别对应查询本地缓存和向上递归查询
pdns的后端用来鵆dns记录或元数据,使用mysql等作为存储
amazon-linux-extras install epel -y
yum install pdns
yum install pdns-backend-mysql
yum install mariadb-server -y
systemctl enable mariadb
systemctl start mariadb
mysqladmin -u root password dnsadmin
CREATE USER 'powerdns'@'localhost' IDENTIFIED BY '你的新密码';
CREATE DATABASE powerdns;
GRANT ALL ON powerdns.* TO 'powerdns'@'localhost';
FLUSH PRIVILEGES;
set password for powerdns@'localhost'=password('pdns');
创建数据表,https://doc.powerdns.com/authoritative/backends/generic-mysql.html#default-schema
修改pdns配置文件
$ cat /etc/pdns/pdns.conf
api=yes
api-key=pdns
config-dir=/etc/pdns
write-pid=yes
daemon=no
guardian=no
launch=gmysql
gmysql-host=localhost
gmysql-port=3306
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=pdns
log-dns-details=yes
log-dns-queries=yes
log-timestamp=yes
loglevel=9
logging-facility=0
log-timestamp=yes
setgid=root
setuid=root
webserver=yes
webserver-address=0.0.0.0
webserver-port=8081
webserver-allow-from=127.0.0.1
local-address=0.0.0.0
query-local-address=0.0.0.0
查看状态,成功连接到mariadb
$ systemctl start pdns
$ systemctl status pdns
● pdns.service - PowerDNS Authoritative Server
Loaded: loaded (/usr/lib/systemd/system/pdns.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-11-22 14:45:48 UTC; 9s ago
Docs: man:pdns_server(1)
man:pdns_control(1)
https://doc.powerdns.com
Main PID: 6134 (pdns_server)
CGroup: /system.slice/pdns.service
└─6134 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you ar...ion 2.
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: Listening for HTTP requests on 0.0.0.0:8081
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: Creating backend connection for TCP
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal systemd[1]: Started PowerDNS Authoritative Server.
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: About to create 3 backend threads for UDP
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: Done launching threads, ready to distribute questions
无法运行pdnsutils,https://github.com/PowerDNS/pdns/issues/9164,al2是一个奇怪的混合体?
将实例更换为redhat,重新执行上面的步骤后,创建zone测试解析,发现已经可以成功解析
$ pdnsutil create-zone example.org ns1.example.com
Nov 22 15:10:11 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Nov 22 15:10:11 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Creating empty zone 'example.org'
Nov 22 15:10:11 No serial for 'example.org' found - zone is missing?
Also adding one NS record
$ pdnsutil list-all-zones
Nov 22 15:10:54 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Nov 22 15:10:54 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
example.org
$ pdnsutil add-record example.org. www A 10.1.2.3
$ dig www.example.org @127.0.0.1
; <<>> DiG 9.16.23-RH <<>> www.example.org @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2828
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.example.org. IN A
;; ANSWER SECTION:
www.example.org. 3600 IN A 10.1.2.3
;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 22 15:14:03 UTC 2022
;; MSG SIZE rcvd: 60
webserver也能显示日志和解析记录
coredns
coredns是一个用go语言编写的开源的DNS服务,是目前kubernetes中默认的dns服务。相比其他dns server,coredns通过插件的方式将核心功能外包。
CoreDNS is powered by plugins.
用go开发的好处在于不需要依赖库,下载之后只有一个二进制文件。相比其他dnsserver非常方便,不需要安装直接运行即可。下载预编译的版本,会内置全部官方认证的插件。默认情况下会直接监听53端口,并且读取和自己在相同目录下的Corefile
配置文件。可以直接运行coredns
,但是无法解析请求(没有配置文件)
$ coredns
.:53
CoreDNS-1.10.0
linux/amd64, go1.19.1, 596a9f9
[INFO] 127.0.0.1:54098 - 13169 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,aa,rd 97 0.000110176s
coredns在eks中作为集群的附加组件出现。eks集群中coredns组件的默认配置文件如下,我们可以对此进行定制
coredns的常用配置
- https://help.aliyun.com/document_detail/380963.html
- https://support.huaweicloud.com/usermanual-cce/cce_01_0361.html
.:53 {
log
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
使用coredns配置条件转发器
在coredns的cm中增加zone
$ kubectl -n kube-system edit configmap coredns
test.com:53 {
errors
cache 30
forward . 172.31.27.105
reload
}
$ kubectl run dnsutils -it --rm --image tutum/dnsutils -- bash
容器将dns指向coredns service,可以通过 dnsPolicy 设置 pod 的 dns 配置。默认使用 ClusterFirst 策略
使用bind中自建的dns进行测试,可以看到条件转发已经成立
$ cat /etc/resolv.conf
nameserver 10.100.0.10
search default.svc.cluster.local svc.cluster.local cluster.local cn-north-1.compute.internal
options ndots:5
$ dig www.test.com
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 30 IN A 10.10.1.5
www.test.com. 30 IN A 10.10.1.6
;; AUTHORITY SECTION:
test.com. 30 IN NS ns3.test.com.
;; ADDITIONAL SECTION:
ns3.test.com. 30 IN A 172.31.0.2
;; Query time: 1 msec
;; SERVER: 10.100.0.10#53(10.100.0.10)
;; WHEN: Tue Nov 22 16:00:51 UTC 2022
;; MSG SIZE rcvd: 159
在bind上抓包可以看到,coredns使用节点的主网卡向bind发送dns查询
IP 192.168.26.167.38651 > 172.31.27.105.domain: 45564+ [1au] A? www.test.com. (41)
IP 172.31.27.105.domain > 192.168.26.167.38651: 45564* 2/1/2 A 10.10.1.6, A 10.10.1.5 (107)
排查coredns故障,为coredns增加日志插件
开启日志后可以看到coredns的解析记录,但是条件转发不会在日志里记录
[INFO] 192.168.25.1:55186 - 30082 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,rd,ra 138 0.001808735s [INFO] 192.168.25.1:50447 - 58973 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,aa,rd,ra 138 0.000118182s
[INFO] 192.168.25.1:36695 - 50776 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,aa,rd,ra 138 0.000119947s
[INFO] 192.168.25.1:58777 - 55788 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,aa,rd,ra 138 0.000128219s
使用codedns级联自建dns
修改forward
.:53 {
log
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
forward . 172.31.27.105
cache 30
loop
reload
loadbalance
}
此后集群外部所有的dns解析都会转发到自建dns上