Powerdns 服务器未传递权限参数

编程问答 2022-05-29

问题描述

我在服务器上安装了 powerdns 来处理 DNS 请求。

设置在 5300 端口有 powerdns,在 5301 端口有 recursor,在 53 端口有 dnsdist。

如果我执行 dig 我得到的结果不具有权威性,因此被其他名称服务器忽略。

1.同时调用递归:

dig a essyfortunes.com @85.10.203.183

; <<>> DiG 9.16.1-Ubuntu <<>> a essyfortunes.com @85.10.203.183
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,status: NOERROR,id: 64902
;; flags: qr rd ra; QUERY: 1,ANSWER: 1,AUTHORITY: 0,ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; ednS: version: 0,flags:; udp: 512
;; QUESTION SECTION:
;essyfortunes.com.      IN  A

;; ANSWER SECTION:
essyfortunes.com.   0   IN  A   95.216.38.152

;; Query time: 155 msec
;; SERVER: 85.10.203.183#53(85.10.203.183)
;; WHEN: Tue Jan 19 09:04:44 EAT 2021
;; MSG SIZE  rcvd: 61

1.同时调用powerdns:

dig a essyfortunes.com @85.10.203.183 -p 5300

; <<>> DiG 9.16.1-Ubuntu <<>> a essyfortunes.com @85.10.203.183 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,id: 19637
;; flags: qr aa rd; QUERY: 1,ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; ednS: version: 0,flags:; udp: 1232
;; QUESTION SECTION:
;essyfortunes.com.      IN  A

;; ANSWER SECTION:
essyfortunes.com.   0   IN  A   95.216.38.152

;; Query time: 155 msec
;; SERVER: 85.10.203.183#5300(85.10.203.183)
;; WHEN: Tue Jan 19 09:05:06 EAT 2021
;; MSG SIZE  rcvd: 61

powerdns 和 recursor 都使用认设置。我的dnsdist设置如下;

setLocal('85.10.203.183')
setACL({'0.0.0.0/0','::/0'}) -- Allow all IPs access

newServer({address='85.10.203.183:5300',pool='auth'})
newServer({address='85.10.203.183:5301',pool='recursor'})

recursive_ips = newNMG()
recursive_ips:addMask('0.0.0.0/0') -- These network masks are the ones from allow-recursion in the Authoritative Server

addAction(NetmaskGroupRule(recursive_ips),PoolAction('recursor'))
addAction(AllRule(),PoolAction('auth'))

解决方法

问题是 dnsdist 设置的错误配置。

允许的递归流量应该在本地子网内有限制。例如 192.168.0.0/16 或 127.0.0.0/8

新配置如下所示;

setLocal('85.10.203.183')
setACL({'0.0.0.0/0','::/0'}) -- Allow all IPs access

newServer({address='85.10.203.183:5300',pool='auth'})
newServer({address='85.10.203.183:5301',pool='recursor'})

recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.0/8') -- These network masks are the ones from allow-recursion in the Authoritative Server

addAction(NetmaskGroupRule(recursive_ips),PoolAction('recursor'))
addAction(AllRule(),PoolAction('auth'))
dnsdnsnameserverspowerdnspropagation