dns 将本地域附加到随机查询

tag-icon tag-icon domain-name-system docker kubernetes
dns 将本地域附加到随机查询 
    Aug  9 23:14:45 dnsmasq[11657]: reply registry-1.docker.io is 54.88.231.116
    Aug  9 23:14:45 dnsmasq[11657]: reply registry-1.docker.io is 100.24.246.89
    Aug  9 23:14:45 dnsmasq[11657]: reply registry-1.docker.io is 34.197.189.129
    Aug  9 23:14:45 dnsmasq[11657]: reply registry-1.docker.io is 3.221.133.86
    Aug  9 23:14:45 dnsmasq[11657]: reply registry-1.docker.io is 3.224.11.4
    Aug  9 23:14:45 dnsmasq[11657]: reply registry-1.docker.io is 54.210.105.17
    Aug  9 23:14:50 dnsmasq[11657]: query[A] gitlab.mydomain.com.home from 192.168.1.20
    Aug  9 23:14:50 dnsmasq[11657]: forwarded gitlab.mydomain.com.home to 192.168.1.2
    Aug  9 23:14:50 dnsmasq[11657]: reply gitlab.mydomain.com.home is NXDOMAIN
    Aug  9 23:14:50 dnsmasq[11657]: query[AAAA] gitlab.mydomain.com.home from 192.168.1.20
    Aug  9 23:14:50 dnsmasq[11657]: forwarded gitlab.mydomain.com.home to 192.168.1.2
    Aug  9 23:14:50 dnsmasq[11657]: reply gitlab.mydomain.com.home is NODATA-IPv6
    Aug  9 23:14:51 dnsmasq[11657]: query[A] registry.mydomain.com.home from 192.168.1.20
    Aug  9 23:14:51 dnsmasq[11657]: forwarded registry.mydomain.com.home to 192.168.1.2
    Aug  9 23:14:51 dnsmasq[11657]: query[AAAA] registry.mydomain.com.home from 192.168.1.20
    Aug  9 23:14:51 dnsmasq[11657]: forwarded registry.mydomain.com.home to 192.168.1.2
    Aug  9 23:14:51 dnsmasq[11657]: reply registry.mydomain.com.home is NXDOMAIN
    Aug  9 23:14:51 dnsmasq[11657]: reply registry.mydomain.com.home is NODATA-IPv6
    Aug  9 23:14:51 dnsmasq[11657]: query[AAAA] registry.mydomain.com.home from 192.168.1.21
    Aug  9 23:14:51 dnsmasq[11657]: cached registry.mydomain.com.home is NODATA-IPv6
    Aug  9 23:14:51 dnsmasq[11657]: query[A] gitlab.mydomain.com.home from 192.168.1.21
    Aug  9 23:14:51 dnsmasq[11657]: cached gitlab.mydomain.com.home is NXDOMAIN
    Aug  9 23:14:52 dnsmasq[11657]: query[A] registry.mydomain.com.home from 192.168.1.21
    Aug  9 23:14:52 dnsmasq[11657]: cached registry.mydomain.com.home is NXDOMAIN
    Aug  9 23:14:52 dnsmasq[11657]: query[A] registry-1.docker.io.home from 192.168.1.21
    Aug  9 23:14:52 dnsmasq[11657]: forwarded registry-1.docker.io.home to 192.168.1.2
    Aug  9 23:14:52 dnsmasq[11657]: query[AAAA] registry-1.docker.io.home from 192.168.1.20
    Aug  9 23:14:52 dnsmasq[11657]: forwarded registry-1.docker.io.home to 192.168.1.2
    Aug  9 23:14:52 dnsmasq[11657]: reply registry-1.docker.io.home is NXDOMAIN
    Aug  9 23:14:52 dnsmasq[11657]: reply registry-1.docker.io.home is NODATA-IPv6

这些请求来自 kubernetes pod。在 pod 内部,它的配置是

bash-4.4$ cat /etc/resolv.conf
nameserver 10.96.0.10
search gitlab-managed-apps.svc.cluster.local svc.cluster.local cluster.local home
options ndots:5

如果我执行 nslookup,它似乎有效

bash-4.4$ nslookup registry.mydomain.com
nslookup: can't resolve '(null)': Name does not resolve

Name:      registry.mydomain.com
Address 1: 104.18.61.234
Address 2: 104.18.60.234
Address 3: 2606:4700:30::6812:3dea
Address 4: 2606:4700:30::6812:3cea
bash-4.4$

但我仍然得到附加的 .home

Aug  9 23:44:13 dnsmasq[11657]: query[AAAA] gitlab.mydomain.com.home from 192.168.1.20
Aug  9 23:44:13 dnsmasq[11657]: cached gitlab.mydomain.com.home is NXDOMAIN
Aug  9 23:44:13 dnsmasq[11657]: query[A] gitlab.mydomain.com.home from 192.168.1.21
Aug  9 23:44:13 dnsmasq[11657]: cached gitlab.mydomain.com.home is NODATA-IPv4

kubernetes主机的dns是:

root@node-a:/etc$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
search home

我正在使用 coredns,其配置如下:

apiVersion: v1
data:
  Corefile: |
    mydomain.com {
        log
        forward . 1.1.1.1 1.0.0.1 9.9.9.9
        reload
    }
    .:53 {
        log
        errors
        health
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           upstream
           fallthrough in-addr.arpa ip6.arpa
        }
        prometheus :9153
        #proxy . /etc/resolv.conf
        forward . 192.168.1.2:53 {
            except mydomain.com
        }
        cache 30
        loop
        reload
    }

我尝试编辑配置以指向 1.1.1.1,但失败了。出于某种原因,某个地方在域名末尾附加了 .home

tail -f pihole.log |grep alpine
Aug 10 00:03:59 dnsmasq[11657]: query[AAAA] dl-cdn.alpinelinux.org.home from 192.168.1.20
Aug 10 00:03:59 dnsmasq[11657]: cached dl-cdn.alpinelinux.org.home is NXDOMAIN
Aug 10 00:03:59 dnsmasq[11657]: query[A] dl-cdn.alpinelinux.org.home from 192.168.1.20
Aug 10 00:03:59 dnsmasq[11657]: cached dl-cdn.alpinelinux.org.home is NODATA-IPv4
Aug 10 00:03:59 dnsmasq[11657]: query[A] dl-cdn.alpinelinux.org.home from 192.168.1.21
Aug 10 00:03:59 dnsmasq[11657]: cached dl-cdn.alpinelinux.org.home is NODATA-IPv4
Aug 10 00:03:59 dnsmasq[11657]: query[AAAA] dl-cdn.alpinelinux.org.home from 192.168.1.21
Aug 10 00:03:59 dnsmasq[11657]: cached dl-cdn.alpinelinux.org.home is NXDOMAIN

我的DNS路径如下:

Pod -> CoreDNS -> Pihole(用于广告)->Bind9 -> cloudflared 1.1.1.1/1.0.0.1

鉴于我看到 .home 在 pihole 中被附加(并且无法解析),我认为问题不是 bind9 或 cloudflared,而是 pod 配置、coredns 或 pihole。这从何而来?

到目前为止,我已经通过更改 gitlab runner 部署来使用以下 dns 属性,在一定程度上解决了该问题:

dnsConfig:
  nameservers:
    - 1.1.1.1
    - 9.9.9.9
  options:
    - name: ndots
      value: "2"
    - name: edns0
  dnsPolicy: None

谢谢!

答案1

根据@yoonix 评论发布此答案作为社区支持,以便其他有同样问题的用户更好地了解情况。

在 OP 案例中ndots设置为 5(默认值为 1)。这意味着,如果ndots设置为 5 并且名称中包含的点数少于 5 个,则系统调用将首先尝试按顺序解析所有本地搜索域,如果没有成功,则最后将其解析为绝对名称。

n 点:n

设置名称中必须出现的点数的阈值,然后才会进行初始绝对查询。n 的默认值为 1,这意味着如果名称中有任何点,则在向其附加任何搜索列表元素之前,将首先尝试将该名称作为绝对名称。

在 OP 更新中,ndots值设置为 2,现在可以正常工作。

  options:
    - name: ndots
      value: "2"

更多详细信息ndots请参见这里

相关内容