惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
T
Threat Research - Cisco Blogs
小众软件
小众软件
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
Apple Machine Learning Research
Apple Machine Learning Research
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
V
V2EX
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
Hugging Face - Blog
Hugging Face - Blog
The Cloudflare Blog
The Last Watchdog
The Last Watchdog
Simon Willison's Weblog
Simon Willison's Weblog
T
Threatpost
S
Secure Thoughts
O
OpenAI News
P
Proofpoint News Feed
S
SegmentFault 最新的问题
Forbes - Security
Forbes - Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
Scott Helme
Scott Helme
T
Tenable Blog
A
Arctic Wolf
L
LINUX DO - 热门话题
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Visual Studio Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
博客园_首页
雷峰网
雷峰网
IT之家
IT之家
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
H
Heimdal Security Blog

Query on CoreDNS: DNS and Service Discovery

暂无文章

Query Routing
miek · 2016-10-13 · via Query on CoreDNS: DNS and Service Discovery

Quiz time, in the following Corefile:

. {
  proxy . 8.8.8.8:53
  file db.example.com
}

Will a query for www.google.com be handled by the proxy or the file plugin? Answer below.

What does this Corefile actually say? It specifies that queries for root (.) and everything below it (so for all domain names) we should enter this stanza.

Next all queries should be forwarded to 8.8.8.8:53.

Then because the file plugin does not specify what zones should be answered from the db.example.com file, the toplevel one applies, which is root (.)

So we are left with a situation where both plugins will be called for the same names (which can be perfectly valid for plugin that calls other chained-in plugin).

But proxy will not call file because the query will be answered and done with after the plugin exists - the same is true for the opposite direction.

To look what into what happens here we have to look the plugins ordering:

...
dnssec:dnssec
file:file
etcd:etcd
proxy:proxy
...

And we see that file is first and proxy comes somewhat later. This means that in the example above all queries are routed to the file plugin. It will happily answer those with SERVFAIL, because it probably can’t find www.google.com in a file that will mostly have *.example.com names in it.

In order to fix this, we should either have to separate stanza or specify the origin(s) for the file plugin:

. {
  proxy . 8.8.8.8:53
  file db.example.com example.com
}

To preempt a feature request: Yes, it would be nice of CoreDNS can detect and warn about this (it does not do this now).