问题描述
我在服务器上安装了 powerdns 来处理 DNS 请求。
设置在 5300 端口有 powerdns,在 5301 端口有 recursor,在 53 端口有 dnsdist。
如果我执行 dig 我得到的结果不具有权威性,因此被其他名称服务器忽略。
1.同时调用递归:
dig a essyfortunes.com @85.10.203.183
; <<>> DiG 9.16.1-Ubuntu <<>> a essyfortunes.com @85.10.203.183
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,status: NOERROR,id: 64902
;; flags: qr rd ra; QUERY: 1,ANSWER: 1,AUTHORITY: 0,ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; ednS: version: 0,flags:; udp: 512
;; QUESTION SECTION:
;essyfortunes.com. IN A
;; ANSWER SECTION:
essyfortunes.com. 0 IN A 95.216.38.152
;; Query time: 155 msec
;; SERVER: 85.10.203.183#53(85.10.203.183)
;; WHEN: Tue Jan 19 09:04:44 EAT 2021
;; MSG SIZE rcvd: 61
1.同时调用powerdns:
dig a essyfortunes.com @85.10.203.183 -p 5300
; <<>> DiG 9.16.1-Ubuntu <<>> a essyfortunes.com @85.10.203.183 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,id: 19637
;; flags: qr aa rd; QUERY: 1,ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; ednS: version: 0,flags:; udp: 1232
;; QUESTION SECTION:
;essyfortunes.com. IN A
;; ANSWER SECTION:
essyfortunes.com. 0 IN A 95.216.38.152
;; Query time: 155 msec
;; SERVER: 85.10.203.183#5300(85.10.203.183)
;; WHEN: Tue Jan 19 09:05:06 EAT 2021
;; MSG SIZE rcvd: 61
powerdns 和 recursor 都使用默认设置。我的dnsdist设置如下;
setLocal('85.10.203.183')
setACL({'0.0.0.0/0','::/0'}) -- Allow all IPs access
newServer({address='85.10.203.183:5300',pool='auth'})
newServer({address='85.10.203.183:5301',pool='recursor'})
recursive_ips = newNMG()
recursive_ips:addMask('0.0.0.0/0') -- These network masks are the ones from allow-recursion in the Authoritative Server
addAction(NetmaskGroupRule(recursive_ips),PoolAction('recursor'))
addAction(AllRule(),PoolAction('auth'))
解决方法
问题是 dnsdist 设置的错误配置。
允许的递归流量应该在本地子网内有限制。例如 192.168.0.0/16 或 127.0.0.0/8
新配置如下所示;
setLocal('85.10.203.183')
setACL({'0.0.0.0/0','::/0'}) -- Allow all IPs access
newServer({address='85.10.203.183:5300',pool='auth'})
newServer({address='85.10.203.183:5301',pool='recursor'})
recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.0/8') -- These network masks are the ones from allow-recursion in the Authoritative Server
addAction(NetmaskGroupRule(recursive_ips),PoolAction('recursor'))
addAction(AllRule(),PoolAction('auth'))