惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
Security Latest
Security Latest
Simon Willison's Weblog
Simon Willison's Weblog
O
OpenAI News
GbyAI
GbyAI
L
LINUX DO - 最新话题
A
Arctic Wolf
T
Tor Project blog
G
GRAHAM CLULEY
I
InfoQ
博客园_首页
IT之家
IT之家
The Register - Security
The Register - Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
The GitHub Blog
The GitHub Blog
Blog — PlanetScale
Blog — PlanetScale
N
Netflix TechBlog - Medium
K
Kaspersky official blog
博客园 - 三生石上(FineUI控件)
S
SegmentFault 最新的问题
U
Unit 42
PCI Perspectives
PCI Perspectives
量子位
P
Palo Alto Networks Blog
S
Securelist
T
Troy Hunt's Blog
博客园 - 【当耐特】
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
Security Affairs
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
博客园 - 聂微东
罗磊的独立博客
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
NISL@THU
NISL@THU
C
Cisco Blogs
T
Threatpost
有赞技术团队
有赞技术团队
Forbes - Security
Forbes - Security
Hugging Face - Blog
Hugging Face - Blog
Last Week in AI
Last Week in AI
T
The Exploit Database - CXSecurity.com
Cloudbric
Cloudbric
Cyberwarzone
Cyberwarzone
Google DeepMind News
Google DeepMind News
C
Cyber Attacks, Cyber Crime and Cyber Security

Query on CoreDNS: DNS and Service Discovery

暂无文章

Query Routing
miek · 2016-10-13 · via Query on CoreDNS: DNS and Service Discovery

Quiz time, in the following Corefile:

. {
  proxy . 8.8.8.8:53
  file db.example.com
}

Will a query for www.google.com be handled by the proxy or the file plugin? Answer below.

What does this Corefile actually say? It specifies that queries for root (.) and everything below it (so for all domain names) we should enter this stanza.

Next all queries should be forwarded to 8.8.8.8:53.

Then because the file plugin does not specify what zones should be answered from the db.example.com file, the toplevel one applies, which is root (.)

So we are left with a situation where both plugins will be called for the same names (which can be perfectly valid for plugin that calls other chained-in plugin).

But proxy will not call file because the query will be answered and done with after the plugin exists - the same is true for the opposite direction.

To look what into what happens here we have to look the plugins ordering:

...
dnssec:dnssec
file:file
etcd:etcd
proxy:proxy
...

And we see that file is first and proxy comes somewhat later. This means that in the example above all queries are routed to the file plugin. It will happily answer those with SERVFAIL, because it probably can’t find www.google.com in a file that will mostly have *.example.com names in it.

In order to fix this, we should either have to separate stanza or specify the origin(s) for the file plugin:

. {
  proxy . 8.8.8.8:53
  file db.example.com example.com
}

To preempt a feature request: Yes, it would be nice of CoreDNS can detect and warn about this (it does not do this now).