我在内部网络上使用 Unbound想它要做的事情如下:
- 如果
local_zone匹配,则从那里返回 - 如果不是,并且与内部域名匹配,则尝试转发到 Consul
127.0.0.1:8600 - 如果没有,则转发到 Cloudflare
1.0.0.1:853(DNS-over-TLS)
例如,如果example.com是内部域名,如果我尝试解析foo.example.com它,则应该尝试步骤#1,#2,如果不匹配,最后尝试步骤#3:
foo.example.com在任何 s 中都找不到local_zone,继续foo.example.com无法由 Consul 解决,继续foo.example.com已由Cloudflare解决,返回结果
我的问题是步骤 3 执行不正确。例如,上面的演示目前如下所示:
foo.example.com在任何 s 中都找不到local_zone,继续foo.example.com无法被 Consul 解决,返回失败
在步骤 #2 中应该不是返回失败 - 相反它应该回退到尝试 Cloudflare。
如果转发到给定服务器时解析失败,如何才能不受限制地回退到转发到另一个 DNS 服务器?
我当前的配置如下:
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
server:
interface: 0.0.0.0
interface: ::0
ip-freebind: yes
# Access control - default is to deny everything apparently
# The local network
access-control: 172.16.230.0/24 allow
# The docker interface
access-control: 172.17.0.1/16 allow
username: "unbound"
harden-algo-downgrade: yes
unwanted-reply-threshold: 10000000
private-domain: "example.com"
prefetch: yes
# Service expired cached responses, but only after a failed
# attempt to fetch from upstream, and 10 seconds after
# expiration. Retry every 10s to see if we can get a
# response from upstream.
serve-expired: yes
serve-expired-ttl: 10
serve-expired-ttl-reset: yes
local-zone: "example.com." transparent
local-data: "foo.example.com. IN A 172.16.230.100"
local-data: "bar.example.com. IN A 172.16.230.101"
local-data-ptr: "172.16.230.100 foo.example.com."
local-data-ptr: "172.16.230.101 bar.example.com."
fast-server-permil: 500
# Forward to consul
stub-zone:
name: "example.com."
stub-addr: 127.0.0.1@8600
stub-first: yes
forward-zone:
name: "."
# Cloudflare DNS
forward-addr: 1.0.0.1@853
# DNSlify - ref https://www.dnslify.com/services/resolver/
forward-addr: 185.235.81.1@853
forward-ssl-upstream: yes