CoreDNS
インストール
$ git clone https://github.com/coredns/coredns
$ cd coredns
$ make
$ echo 'export PATH=$HOME/coredns:$PATH' >> ~/.bash_profile
Plugins
Forwarder
IP アドレスの指定
Corefile
core.yokohei.com {
file db.core.yokohei.com
log
}
. {
forward . 8.8.8.8
}
core.yokohei.com 以外のドメイン名に対するクエリは 8.8.8.8 にフォワードされる。
/etc/resolv.cong の指定
Corefile
core.yokohei.com {
file db.core.yokohei.com
log
}
. {
forward . /etc/resolv.conf
}
Authoritative Serving From Files
まず、以下のようなサンプルファイル db.example.org を作る。
$ORIGIN example.org.
@ 3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. (
2017042745 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
3600 IN NS a.iana-servers.net.
3600 IN NS b.iana-servers.net.
www IN A 127.0.0.1
IN AAAA ::1
次に、 Corefile を編集。
example.org {
file db.example.org
log
}
dig するとちゃんと aa 付きで返ってくる。
$ dig www.example.org +norec @127.0.0.1
; <<>> DiG 9.10.6 <<>> www.example.org +norec @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 539
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.org. IN A
;; ANSWER SECTION:
www.example.org. 3600 IN A 127.0.0.1
;; AUTHORITY SECTION:
example.org. 3600 IN NS a.iana-servers.net.
example.org. 3600 IN NS b.iana-servers.net.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 20 20:56:29 IST 2019
;; MSG SIZE rcvd: 161
Delegation
yokohei.com. zone - Nameserver:Route 53
core.yokohei.com. zone - Nameserver:CoreDNS
Corefile
core.yokohei.com {
file db.core.yokohei.com
log
}
. {
forward . 8.8.8.8
}
db.core.yokohei.com
$ORIGIN core.yokohei.com.
@ 3600 IN SOA ns.core.yokohei.com. root.yokohei.com. (
2019062214 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
3600 IN NS ns.core.yokohei.com.
www IN A 127.0.0.1
ns IN A 18.203.241.24
dig で確認。
$ dig core.yokohei.com @8.8.8.8
; <<>> DiG 9.11.0rc1 <<>> core.yokohei.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47721
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;core.yokohei.com. IN A
;; AUTHORITY SECTION:
core.yokohei.com. 1799 IN SOA ns.core.yokohei.com. root.yokohei.com. 2019062214 7200 3600 1209600 3600
;; Query time: 63 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jun 22 15:18:33 UTC 2019
;; MSG SIZE rcvd: 89
Route 53 との連携
Route 53 のゾーンデータを返してくれるらしい。これはすごい。
Credentials を指定することも可能だが、指定しないと AWS CLI と同じ方法で取得を試みるとのこと。すげー。
Corefile
. {
forward . 8.8.8.8:53
}
yokohei.local {
route53 yokohei.local.:Z1234EXAMPLE
}
せっかくなので (?) プライベートホストゾーンを入れてみた。
dig ってみる。
$ dig test.yokohei.local @localhost
; <<>> DiG 9.10.6 <<>> test.yokohei.local @localhost
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14888
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.yokohei.local. IN A
;; ANSWER SECTION:
test.yokohei.local. 60 IN A 10.10.10.10
;; AUTHORITY SECTION:
yokohei.local. 172800 IN NS ns-1536.awsdns-00.co.uk.
yokohei.local. 172800 IN NS ns-0.awsdns-00.com.
yokohei.local. 172800 IN NS ns-1024.awsdns-00.org.
yokohei.local. 172800 IN NS ns-512.awsdns-00.net.
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Jun 22 20:42:29 IST 2019
;; MSG SIZE rcvd: 271
すごい…。普通にプライベートホストゾーンでも返ってくる…。
キャッシュ
cache プラグインで実現される。
Corefile
. {
forward . 8.8.8.8:53
cache 5
}
example.org {
file db.example.org
cache 60
}
example.org は TTL 60 に切り詰められる。
$ dig www.example.org +noall +ans @localhost
; <<>> DiG 9.10.6 <<>> www.example.org +noall +ans @localhost
;; global options: +cmd
www.example.org. 60 IN A 127.0.0.1
それ以外は 5 秒に切り詰められる。 (延長されることはない)
$ dig amazon.com +noall +ans @localhost
; <<>> DiG 9.10.6 <<>> amazon.com +noall +ans @localhost
;; global options: +cmd
amazon.com. 5 IN A 205.251.242.103
amazon.com. 5 IN A 176.32.103.205
amazon.com. 5 IN A 176.32.98.166
Chaos Class
Chaos Class も chaos プラグインで実現できる。
Corefile
version.bind version.server authors.bind hostname.bind id.server {
chaos CoreDNS-001 info@coredns.io
}
dig で確認。
$ dig CH @localhost version.bind TXT
; <<>> DiG 9.10.6 <<>> CH @localhost version.bind TXT
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8140
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "CoreDNS-001"
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Jun 21 19:55:50 IST 2019
;; MSG SIZE rcvd: 77
Zone Transfer
Corefile - マスター側
Corefile
core.yokohei.xyz {
file db.core.yokohei.xyz {
transfer to 172.31.10.100
}
log
}
Corefile - スレーブ側
Corefile
core.yokohei.xyz {
secondary {
transfer from 172.31.10.200
}
log
}
log - マスター側
2019-06-23T19:42:04.632Z [INFO] plugin/file: Sent notify for zone "core.yokohei.xyz." to "172.31.10.200:53"
2019-06-23T19:42:04.634Z [INFO] 172.31.0.200:60996 - 64653 "SOA IN core.yokohei.xyz. tcp 34 false 65535" NOERROR qr,aa,rd 221 0.001081551s
2019-06-23T19:42:04.635Z [INFO] plugin/file: Outgoing transfer of 7 records of zone core.yokohei.xyz. to 172.31.10.200 started
2019-06-23T19:42:04.635Z [INFO] 172.31.10.200:60998 - 44780 "AXFR IN core.yokohei.xyz. tcp 34 false 65535" NOERROR qr,aa 416 0.000151532s
log - スレーブ側
2019-06-23T19:42:04.632Z [INFO] plugin/file: Notify from 172.31.10.100 for core.yokohei.xyz.: checking transfer
2019-06-23T19:42:04.635Z [INFO] plugin/file: Transferred: core.yokohei.xyz. from 172.31.10.100:53
2019-06-23T19:42:04.635Z [INFO] 172.31.10.100:42965 - 3297 "SOA IN core.yokohei.xyz. udp 34 false 512" NOERROR qr,aa 34 0.004890776s
これだけでできてしまう。 なんと簡単…。