aws ec2 部署bind、powerdns和coredns-版本速递-网游预告站-新版本新活动抢先知晓

常见的开源dns server包括

dnsmasq：轻量且占用空间小，适用于资源受限的路由器和防火墙，可以将 dnsmasq 配置为 DNS 缓存查询bind：最为成熟的DNS Server，代表了DNS的标准；但扩展性一般PowerDNS：有成熟的管理控制系统CoreDNS：前身是SkyDNS，每个特性都可以被实现为可插拔的中间件

分别进行aws dns，bind，power和core dns的分析

aws vpc dns

配置使用静态 DNS 服务器的 EC2 实例

在Virtual Private Cloud中自建基于BIND的DNS服务器

如何避免 Amazon EC2 Linux 实例的 DNS 解析失败问题？

解析 VPC 与您的网络之间的 DNS 查询

VPC 中的 DNS 属性

ec2实例在启动时会通过DHCP请求dns地址，将响应返回写入到本地 /etc/resolv.conf 。使用dhcp选项集能控制vpc中实例的dns server，domain name，ntr server

创建vpc时，r53会使用vpc上的resolver响应ec2实例的本地vpc dns查询。对于所有其他域名，Resolver 对公共名称服务器执行递归查找。默认创建的r53 reslover会映射到.2地址。（这块不是很理解，之后再补充）

为了减少 CPU 和网络使用量并避免 DNS 解析失败的问题可以通过搭建dnsmasq使用dns缓存

$ sudo yum install -y dnsmasq

$ sudo groupadd -r dnsmasq

$ sudo useradd -r -g dnsmasq dnsmasq

$ sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

$ sudo vim /etc/dnsmasq.conf

# Server Configuration

listen-address=127.0.0.1

port=53

bind-interfaces

user=dnsmasq

group=dnsmasq

pid-file=/var/run/dnsmasq.pid

# Name resolution options

resolv-file=/etc/resolv.dnsmasq

cache-size=500

neg-ttl=60

domain-needed

bogus-priv

#将aws dns服务器地址写入dnsmasq配置中

sudo bash -c "echo 'nameserver 169.254.169.253' > /etc/resolv.dnsmasq"

# start dnsmasq

$ sudo systemctl restart dnsmasq.service

$ sudo systemctl enable dnsmasq.service

$ systemctl status dnsmasq

● dnsmasq.service - DNS caching server.

Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)

Active: active (running) since Tue 2022-11-22 13:54:38 UTC; 2s ago

Main PID: 4668 (dnsmasq)

CGroup: /system.slice/dnsmasq.service

└─4668 /usr/sbin/dnsmasq -k

Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal systemd[1]: Started DNS caching server..

Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: listening on lo(#1): 127.0.0.1

Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: listening on lo(#1): ::1

Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: started, version 2.76 cachesize 500

Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no...notify

Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: reading /etc/resolv.dnsmasq

Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: using nameserver 169.254.169.253#53

Nov 22 13:54:38 ip-172-31-27-105.cn-north-1.compute.internal dnsmasq[4668]: read /etc/hosts - 2 addresses

此时dnsmasq已经成为169.254.169.253的缓存dns server，之后必须通过更改或创建 /etc/dhcp/dhclient.conf 文件来禁止 DHCP 提供的默认 DNS 解析程序

抓包查看具体的过程

$ sudo tcpdump -nt -s 500 -i eth0 port domain

$ dig www.baidu.com @127.0.0.1

IP 172.31.27.105.30600 > 169.254.169.253.domain: 19883+ [1au] A? www.baidu.com. (42)

IP 169.254.169.253.domain > 172.31.27.105.30600: 19883 3/0/1 CNAME www.a.shifen.com., A 39.156.66.14, A 39.156.66.18 (104)

bind

DNS服务原理与搭建自己的DNS服务器Bind的forward转发机制域名解析失败的那些事DNSSEC的工作流程

bind相关的软件包

bind ：dns serverbind-libs ：提供bind和bind-utils包中的程序共同用到的库文件bind-utils ：bind客户端工具包bind-chroot ：类似chroot将dns服务限制在某个范围之类.

安装bind

rndc（remote name domain controller）

默认与bind安装在同一主机，且只能通过127.0.0.1来连接named进程；提供辅助性的管理功能；监听端口:953/tcp

$ yum install -y bind

$ rpm -ql bind

$ ls /var/named

data dynamic named.ca named.empty named.localhost named.loopback slaves

#named.ca 默认全球DNS根服务器地址

#named.localhost 本地回环文件

#named.loopback

#启动服务

$ systemctl start named

$ ss -luntp | grep ':53'

bind相关配置

主配置文件：/etc/named.conf区域配置配置文件：/etc/rfc1912.zones，即本机能够为哪些zone进行解析，例如:zone "ZONE_NAME" IN {}

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

options {

listen-on port 53 { any; }; // 默认监听localhost

listen-on-v6 port 53 { ::1; }; // ipv6的支持

directory "/var/named"; // 正反解区域解析库文件默认存放目录

dump-file "/var/named/data/cache_dump.db"; // dump cach的目录directory

statistics-file "/var/named/data/named_stats.txt"; // named服务统计信息的文件名

memstatistics-file "/var/named/data/named_mem_stats.txt";

recursing-file "/var/named/data/named.recursing";

secroots-file "/var/named/data/named.secroots";

allow-query { any; }; //允许查询请求地址默认为localhost

recursion yes; //允许递归查询

forward only; //定义只转发

forwarders { 169.254.169.253; };

dnssec-enable no; // 关闭densec

dnssec-validation no;

bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

};

logging { // 服务器日志信息源

channel default_debug {

file "data/named.run";

severity dynamic;

};

zone "." IN {

type hint;

file "named.ca";

};

在/etc/named.rfc1912.zones中创建新域，域配置文件位于/var/named下

zone "test.com" IN {

type master;

file "test.com.zone";

}

# cat /var/named/test.com.zone

$TTL 1D

$ORIGIN test.com.

@ IN SOA ns1.test.com. admin.test.com (

2019112201

1D)

IN NS ns1

IN NS ns2

IN MX 10 mx1

IN MX 20 mx2

ns1 IN A 10.10.1.1

ns2 IN A 10.10.1.2

mx1 IN A 10.10.1.3

mx2 IN A 10.10.1.4

www IN A 10.10.1.5

www IN A 10.10.1.6

ftp IN CNAME www

启动named之前进行语法检查

$ named-checkconf

$ named-checkzone "itcom.com" /var/named/itcom.com.zone

$ systemctl start named

测试应答，可见dns server已经能够成功解析test.com中的dns查询

# dig -t A "www.test.com" @127.0.0.1

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> -t A www.test.com @localhost

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64445

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.test.com. IN A

;; ANSWER SECTION:

www.test.com. 86400 IN A 10.10.1.6

www.test.com. 86400 IN A 10.10.1.5

;; AUTHORITY SECTION:

test.com. 86400 IN NS ns1.test.com.

test.com. 86400 IN NS ns2.test.com.

;; ADDITIONAL SECTION:

ns1.test.com. 86400 IN A 10.10.1.1

ns2.test.com. 86400 IN A 10.10.1.2

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Nov 22 04:27:05 UTC 2022

;; MSG SIZE rcvd: 141

从另一台实例上查询，能够顺利解析

$ dig -t A "www.test.com" @172.31.27.105 #指定dns server的ip地址

通过在dns server上抓包可以看到具体的网络通信，dns server为172.31.27.105

$ sudo tcpdump -nt -s 500 -i eth0 port domain

IP 172.31.18.4.50050 > 172.31.27.105.domain: 57073+ [1au] A? ip-172-31-18-4.cn-north-1.compute.internal. (71)

IP 172.31.27.105.50716 > 172.31.0.2.domain: 52899+% [1au] A? ip-172-31-18-4.cn-north-1.compute.internal. (71)

IP 172.31.0.2.domain > 172.31.27.105.50716: 52899 1/0/1 A 172.31.18.4 (87)

IP 172.31.27.105.domain > 172.31.18.4.50050: 57073 1/0/1 A 172.31.18.4 (87)

IP 172.31.18.4.41047 > 172.31.27.105.domain: 43128+ [1au] A? www.baidu.com. (42)

IP 172.31.27.105.36343 > 172.31.0.2.domain: 53796+% [1au] A? www.baidu.com. (42)

IP 172.31.0.2.domain > 172.31.27.105.36343: 53796 3/0/1 CNAME www.a.shifen.com., A 39.156.66.18, A 39.156.66.14 (101)

IP 172.31.27.105.36182 > 172.31.0.2.domain: 40595+% [1au] A? www.a.shifen.com. (45)

IP 172.31.0.2.domain > 172.31.27.105.36182: 40595 2/0/1 A 39.156.66.18, A 39.156.66.14 (77)

IP 172.31.27.105.domain > 172.31.18.4.41047: 43128 3/0/1 CNAME www.a.shifen.com., A 39.156.66.14, A 39.156.66.18 (101)

如果没有配置转发规则，会从named.ca（根dns）中获取非test.com域的解析结果，因此无法解析vpc内网的dns地址。如果解析实例的私有ip会出现错误，这是因为没有配置到vpc的.2地址的转发请求。奇怪的是将.2（169.254.169.253的映射）配置为naemd.ca中的ns是无效的

可以在named.conf配置转发到.2地址解决

forward first设置优先使用forwarders DNS服务器做域名解析，如果查询不到再使用本地DNS服务器做域名解析。forward only设置只使用forwarders DNS服务器做域名解析，如果查询不到则返回DNS客户端查询失败。

forward only; //定义只转发

forwarders { 169.254.169.253; };

如果配置了first，则会优先从转发服务器上获取dns解析。下面的结果表明是172.31.0.2优先响应了正确的ip地址，如果不配置转发最终会是根198.41.0.4响应地址

$ sudo tcpdump -nt -s 500 -i eth0 port domain

IP 172.31.18.4.46867 > 172.31.27.105.domain: 26565+ [1au] A? www.baidu.com. (42)

IP 172.31.27.105.55702 > 172.31.0.2.domain: 33131+% [1au] A? www.baidu.com. (42)

IP 172.31.27.105.49161 > 198.41.0.4.domain: 45400 [1au] NS? . (28)

IP 172.31.0.2.domain > 172.31.27.105.55702: 33131 3/0/1 CNAME www.a.shifen.com., A 39.156.66.18, A 39.156.66.14 (101)

IP 172.31.27.105.51462 > 172.31.0.2.domain: 13784+% [1au] A? www.a.shifen.com. (45)

IP 172.31.0.2.domain > 172.31.27.105.51462: 13784 2/0/1 A 39.156.66.18, A 39.156.66.14 (77)

IP 172.31.27.105.domain > 172.31.18.4.46867: 26565 3/0/1 CNAME www.a.shifen.com., A 39.156.66.18, A 39.156.66.14 (101)

IP 198.41.0.4.domain > 172.31.27.105.49161: 45400*-| 13/0/13 NS e.root-servers.net., NS h.root-servers.net., NS l.root-servers.net., NS i.root-servers.net., NS a.root-servers.net., NS d.root-servers.net., NS c.root-servers.net., NS b.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS g.root-servers.net., NS m.root-servers.net., NS f.root-servers.net. (503)

IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [S], seq 3619155804, win 62727, options [mss 8961,sackOK,TS val 1091688856 ecr 0,nop,wscale 7], length 0

IP 198.41.0.4.domain > 172.31.27.105.39317: Flags [S.], seq 441198152, ack 3619155805, win 1400, options [mss 1400,nop,nop,TS val 584105086 ecr 1091688856], length 0

IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [.], ack 1, win 62727, options [nop,nop,TS val 1091689007 ecr 584105086], length 0

IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [P.], seq 1:31, ack 1, win 62727, options [nop,nop,TS val 1091689007 ecr 584105086], length 307060 [1au] NS? . (28)

IP 198.41.0.4.domain > 172.31.27.105.39317: Flags [P.], seq 1:1100, ack 31, win 1400, options [nop,nop,TS val 584105236 ecr 1091689007], length 10997060*- 14/0/27 NS e.root-servers.net., NS h.root-servers.net., NS l.root-servers.net., NS i.root-servers.net., NS a.root-servers.net., NS d.root-servers.net., NS c.root-servers.net., NS b.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS g.root-servers.net., NS m.root-servers.net., NS f.root-servers.net., RRSIG[|domain]

IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [.], ack 1100, win 61628, options [nop,nop,TS val 1091689157 ecr 584105236], length 0

IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [F.], seq 31, ack 1100, win 61628, options [nop,nop,TS val 1091689158 ecr 584105236], length 0

IP 198.41.0.4.domain > 172.31.27.105.39317: Flags [F.], seq 1100, ack 32, win 1400, options [nop,nop,TS val 584105387 ecr 1091689158], length 0

IP 172.31.27.105.39317 > 198.41.0.4.domain: Flags [.], ack 1101, win 61627, options [nop,nop,TS val 1091689308 ecr 584105387], length 0

实际上配置转发规则为only之后实际上只会使用转发服务器做解析，因此所有的dns解析都是.2地址完成的。但是解析内网的实例dns仍然出现无法响应的问题。抓包的结果如下，可见169.254.169.253实际上已经拿到了ip地址，但是最终还是报错ServFail

$ sudo tcpdump -nt -s 500 -i eth0 port domain

IP 172.31.18.4.46526 > 172.31.27.105.domain: 7768+ [1au] A? www.baidu.com. (42)

IP 172.31.27.105.32891 > 169.254.169.253.domain: 9791+% [1au] A? www.baidu.com. (42)

IP 169.254.169.253.domain > 172.31.27.105.32891: 9791 3/0/1 CNAME www.a.shifen.com., A 39.156.66.18, A 39.156.66.14 (101)

IP 172.31.27.105.43867 > 169.254.169.253.domain: 38968+% [1au] DS? com. (32)

IP 169.254.169.253.domain > 172.31.27.105.43867: 38968 1/0/1 DS (80)

IP 172.31.27.105.domain > 172.31.18.4.46526: 7768 ServFail 0/0/1 (42)

dns解析的报错逻辑如下图所示

最终发现是由于开启了dnssec，关闭后问题得到解决

dnssec-enable no; // 关闭densec

dnssec-validation no;

powerdns

PowerDNS篇简介和安装

powerdns是一个内置脚本能力的高性能的DNS递归查询服务器。powerdns将查询功能分为PowerDNS Authoritative Server和PowerDNS Recursor，分别对应查询本地缓存和向上递归查询

pdns的后端用来鵆dns记录或元数据，使用mysql等作为存储

amazon-linux-extras install epel -y

yum install pdns

yum install pdns-backend-mysql

yum install mariadb-server -y

systemctl enable mariadb

systemctl start mariadb

mysqladmin -u root password dnsadmin

CREATE USER 'powerdns'@'localhost' IDENTIFIED BY '你的新密码';

CREATE DATABASE powerdns;

GRANT ALL ON powerdns.* TO 'powerdns'@'localhost';

FLUSH PRIVILEGES;

set password for powerdns@'localhost'=password('pdns');

创建数据表，https://doc.powerdns.com/authoritative/backends/generic-mysql.html#default-schema

修改pdns配置文件

$ cat /etc/pdns/pdns.conf

api=yes

api-key=pdns

config-dir=/etc/pdns

write-pid=yes

daemon=no

guardian=no

launch=gmysql

gmysql-host=localhost

gmysql-port=3306

gmysql-dbname=powerdns

gmysql-user=powerdns

gmysql-password=pdns

log-dns-details=yes

log-dns-queries=yes

log-timestamp=yes

loglevel=9

logging-facility=0

log-timestamp=yes

setgid=root

setuid=root

webserver=yes

webserver-address=0.0.0.0

webserver-port=8081

webserver-allow-from=127.0.0.1

local-address=0.0.0.0

query-local-address=0.0.0.0

查看状态，成功连接到mariadb

$ systemctl start pdns

$ systemctl status pdns

● pdns.service - PowerDNS Authoritative Server

Loaded: loaded (/usr/lib/systemd/system/pdns.service; disabled; vendor preset: disabled)

Active: active (running) since Tue 2022-11-22 14:45:48 UTC; 9s ago

Docs: man:pdns_server(1)

man:pdns_control(1)

https://doc.powerdns.com

Main PID: 6134 (pdns_server)

CGroup: /system.slice/pdns.service

└─6134 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no

Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you ar...ion 2.

Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: Listening for HTTP requests on 0.0.0.0:8081

Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: Creating backend connection for TCP

Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.

Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal systemd[1]: Started PowerDNS Authoritative Server.

Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: About to create 3 backend threads for UDP

Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.

Nov 22 14:45:48 ip-172-31-27-105.cn-north-1.compute.internal pdns_server[6134]: Done launching threads, ready to distribute questions

无法运行pdnsutils，https://github.com/PowerDNS/pdns/issues/9164，al2是一个奇怪的混合体？

将实例更换为redhat，重新执行上面的步骤后，创建zone测试解析，发现已经可以成功解析

$ pdnsutil create-zone example.org ns1.example.com

Nov 22 15:10:11 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.

Creating empty zone 'example.org'

Nov 22 15:10:11 No serial for 'example.org' found - zone is missing?

Also adding one NS record

$ pdnsutil list-all-zones

Nov 22 15:10:54 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.

example.org

$ pdnsutil add-record example.org. www A 10.1.2.3

$ dig www.example.org @127.0.0.1

; <<>> DiG 9.16.23-RH <<>> www.example.org @127.0.0.1

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2828

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

;; QUESTION SECTION:

;www.example.org. IN A

;; ANSWER SECTION:

www.example.org. 3600 IN A 10.1.2.3

;; Query time: 8 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Nov 22 15:14:03 UTC 2022

;; MSG SIZE rcvd: 60

webserver也能显示日志和解析记录

coredns

coredns是一个用go语言编写的开源的DNS服务，是目前kubernetes中默认的dns服务。相比其他dns server，coredns通过插件的方式将核心功能外包。

CoreDNS is powered by plugins.

用go开发的好处在于不需要依赖库，下载之后只有一个二进制文件。相比其他dnsserver非常方便，不需要安装直接运行即可。下载预编译的版本，会内置全部官方认证的插件。默认情况下会直接监听53端口，并且读取和自己在相同目录下的Corefile配置文件。可以直接运行coredns，但是无法解析请求（没有配置文件）

$ coredns

.:53

CoreDNS-1.10.0

linux/amd64, go1.19.1, 596a9f9

[INFO] 127.0.0.1:54098 - 13169 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,aa,rd 97 0.000110176s

coredns在eks中作为集群的附加组件出现。eks集群中coredns组件的默认配置文件如下，我们可以对此进行定制

coredns的常用配置

https://help.aliyun.com/document_detail/380963.htmlhttps://support.huaweicloud.com/usermanual-cce/cce_01_0361.html

.:53 {

log

errors

health

kubernetes cluster.local in-addr.arpa ip6.arpa {

pods insecure

fallthrough in-addr.arpa ip6.arpa

}

prometheus :9153

forward . /etc/resolv.conf

cache 30

loop

reload

loadbalance

}

使用coredns配置条件转发器

在coredns的cm中增加zone

$ kubectl -n kube-system edit configmap coredns

test.com:53 {

errors

cache 30

forward . 172.31.27.105

reload

}

$ kubectl run dnsutils -it --rm --image tutum/dnsutils -- bash

容器将dns指向coredns service，可以通过 dnsPolicy 设置 pod 的 dns 配置。默认使用 ClusterFirst 策略

使用bind中自建的dns进行测试，可以看到条件转发已经成立

$ cat /etc/resolv.conf

nameserver 10.100.0.10

search default.svc.cluster.local svc.cluster.local cluster.local cn-north-1.compute.internal

options ndots:5

$ dig www.test.com

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> www.test.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55473

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.test.com. IN A

;; ANSWER SECTION:

www.test.com. 30 IN A 10.10.1.5

www.test.com. 30 IN A 10.10.1.6

;; AUTHORITY SECTION:

test.com. 30 IN NS ns3.test.com.

;; ADDITIONAL SECTION:

ns3.test.com. 30 IN A 172.31.0.2

;; Query time: 1 msec

;; SERVER: 10.100.0.10#53(10.100.0.10)

;; WHEN: Tue Nov 22 16:00:51 UTC 2022

;; MSG SIZE rcvd: 159

在bind上抓包可以看到，coredns使用节点的主网卡向bind发送dns查询

IP 192.168.26.167.38651 > 172.31.27.105.domain: 45564+ [1au] A? www.test.com. (41)

IP 172.31.27.105.domain > 192.168.26.167.38651: 45564* 2/1/2 A 10.10.1.6, A 10.10.1.5 (107)

排查coredns故障，为coredns增加日志插件

开启日志后可以看到coredns的解析记录，但是条件转发不会在日志里记录

[INFO] 192.168.25.1:55186 - 30082 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,rd,ra 138 0.001808735s [INFO] 192.168.25.1:50447 - 58973 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,aa,rd,ra 138 0.000118182s

[INFO] 192.168.25.1:36695 - 50776 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,aa,rd,ra 138 0.000119947s

[INFO] 192.168.25.1:58777 - 55788 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,aa,rd,ra 138 0.000128219s

使用codedns级联自建dns

修改forward

.:53 {

log

errors

health

kubernetes cluster.local in-addr.arpa ip6.arpa {

pods insecure

fallthrough in-addr.arpa ip6.arpa

}

prometheus :9153

forward . 172.31.27.105

cache 30

loop

reload

loadbalance

}

此后集群外部所有的dns解析都会转发到自建dns上

aws ec2 部署bind、powerdns和coredns

最近发表

友情链接