惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Stack Overflow Blog
Stack Overflow Blog
WordPress大学
WordPress大学
小众软件
小众软件
量子位
雷峰网
雷峰网
酷 壳 – CoolShell
酷 壳 – CoolShell
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Jina AI
Jina AI
T
Threat Research - Cisco Blogs
博客园_首页
The Hacker News
The Hacker News
C
Cyber Attacks, Cyber Crime and Cyber Security
有赞技术团队
有赞技术团队
宝玉的分享
宝玉的分享
Security Latest
Security Latest
博客园 - 叶小钗
The Last Watchdog
The Last Watchdog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
IT之家
IT之家
腾讯CDC
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
L
Lohrmann on Cybersecurity
V
V2EX
P
Proofpoint News Feed
I
Intezer
云风的 BLOG
云风的 BLOG
Spread Privacy
Spread Privacy
罗磊的独立博客
H
Help Net Security
T
Tor Project blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Schneier on Security
Blog — PlanetScale
Blog — PlanetScale
L
LINUX DO - 热门话题
D
DataBreaches.Net
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
N
News and Events Feed by Topic
TaoSecurity Blog
TaoSecurity Blog
Simon Willison's Weblog
Simon Willison's Weblog
Latest news
Latest news
P
Proofpoint News Feed
NISL@THU
NISL@THU
Y
Y Combinator Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - Franky
Hugging Face - Blog
Hugging Face - Blog
P
Palo Alto Networks Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
S
Security @ Cisco Blogs

Corefile on CoreDNS: DNS and Service Discovery

Corefile Explained
Query Routing
miek · 2016-10-13 · via Corefile on CoreDNS: DNS and Service Discovery

Quiz time, in the following Corefile:

. {
  proxy . 8.8.8.8:53
  file db.example.com
}

Will a query for www.google.com be handled by the proxy or the file plugin? Answer below.

What does this Corefile actually say? It specifies that queries for root (.) and everything below it (so for all domain names) we should enter this stanza.

Next all queries should be forwarded to 8.8.8.8:53.

Then because the file plugin does not specify what zones should be answered from the db.example.com file, the toplevel one applies, which is root (.)

So we are left with a situation where both plugins will be called for the same names (which can be perfectly valid for plugin that calls other chained-in plugin).

But proxy will not call file because the query will be answered and done with after the plugin exists - the same is true for the opposite direction.

To look what into what happens here we have to look the plugins ordering:

...
dnssec:dnssec
file:file
etcd:etcd
proxy:proxy
...

And we see that file is first and proxy comes somewhat later. This means that in the example above all queries are routed to the file plugin. It will happily answer those with SERVFAIL, because it probably can’t find www.google.com in a file that will mostly have *.example.com names in it.

In order to fix this, we should either have to separate stanza or specify the origin(s) for the file plugin:

. {
  proxy . 8.8.8.8:53
  file db.example.com example.com
}

To preempt a feature request: Yes, it would be nice of CoreDNS can detect and warn about this (it does not do this now).