大家好,见字如面,我是小斐,本篇主要介绍维护Powerdns服务器套件工具和排错指北。
关于安装和配置请看 # DNS从入门到放弃系列
背景说明- DNS服务器日常维护用到的工具和技巧
- DNS服务器日常问题排错记录
Q:转发(递归)服务器无法转发权威A记录?
A:
主要架构:dnsdist(53) <--> pdns-recursor(553) <--> pdns(53),其中dnsdist和pdns-recursor搭建在同一台服务器中,pdns单独一台服务器,在搭建配置好后,在客户端dig 权威A记录,没有ANSWER SECTION,测试权威服务器和dnsdist发现都是正常,那么定位到递归服务器中,经过研究,pdns-recursor默认开启DNSSEC设置,PowerDNS Recursor 4.5.0 默认模式 process。
官方说明:
https://link.zhihu.com/?target=https://docs.powerdns.com/recursor/dnssec.html
排错修复:
# 关闭DNSSEC
dnssec=off
dnsdist作为PowerDNS的服务套件之一,客户端侧通常使用dnsdist服务的暴露端口进行DNS负载查询,简单基础架构如下:
客户端上设置两个DNS服务IP,DNS客户端出现解析某个特定域名出错的问题,如域名 dev.test.itkmi.com。
其他三级子域名没有问题,如:node.test.itkmi.com,测试下来仅仅是 dev.test.itkmi.com 的域名解析出错,这些域名的A记录RR在 172.17.10.100 权威服务器上,客户端中设置 172.17.10.10的DNS服务IP,使用工具 drill dev.test.itkmi.com 的域名解析记录就是错误。
故在此可以使用排除法,排除掉权威域名服务器的问题,那我把问题点就转移到转发服务器和负载均衡器上找问题,而通过其他域名的反复测试,发现转发服务器正常把域名递归转发到权威域名服务器中,基本上可以排除转发服务器问题,最后在负载均衡器中找到问题。
dnsdist中有个域名欺骗的功能,而在配置文件中,刚好就把 dev.test.itkmi.com的域名进行域名欺骗,导致权威解析无法生效,如下配置:
-- 域名欺骗 dnsdist 1.3版本之前写法
addDomainSpoof("dev.test.itkmi.com", "xxx.xxx.xxx.xxx")
-- 修复 注释域名欺骗
-- addDomainSpoof("dev.test.itkmi.com", "xxx.xxx.xxx.xxx")
上面所示域名欺骗服务,配置文件写法在新的版本中 dnsdist 1.3之后版本进行的修改:
-- 域名欺骗 dnsdist 1.3版本之后写法
addAction(AndRule({QNameRule('dev.test.itkmi.com.'), QTypeRule(DNSQType.A)}), SpoofAction("xxx.xxx.xxx.xxx"))
架构如下:
上图架构是最终正确的架构,引起客户端解析混乱的问题如下:当服务器192.168.109.32是itkmi.com的从服务器时,而不是转发服务器时,由于同步了线上itkmi.com的主从服务器配置,而导致itkmi.com的192.168.109.32把172.20.64.239盒172.20.65.239作为master,进行主从同步,而服务器和172.20.65.239又另外维护一套itkmi.com泛域名解析记录,导致线下客户端进行同一个域名解析会时而这个IP,时而另外一个IP记录,解析混乱。
解决办法:在192.168.109.32服务器上,修改配置文件,把itkmi.com的 type salve修改为转发即可。
zone "itkmi.com" {
#type slave;
#masterfile-format text;
#masters { 172.20.64.239;172.20.65.239; };
#file "zone/itkmi.com.zone";
type forward;
forwarders { 172.20.64.239; };
};
PowerDNS的递归或转发服务器,也就是PowerDNS Recursor,转发服务器或递归服务器,或多或少都会带有缓存信息,而做为日常维护DNS服务器管理员来看,清理缓存就是时常需要做的。
需求:对转发或递归服务器做缓存管理,递归器一般都是根据TTL值进行缓存的,如需快速清理,可执行下面命令:
# 清除 www.example.com 域名缓存
rec_control wipe-cache www.example.com
# 如果需要清除相关域名的所有记录,如某些子域 example.com的子域,在名称后面加上 $
rec_control wipe-cache example.com$
需求:当需要对某个域名记录做调试,检查DNS缓存记录,我们可以把某个缓存记录转存到某个文件中进行检索
# DNS缓存记录转存
rec_control dump-cache /tmp/cache
需求:有时候域名会解析失败,为了查找原因,需要跟踪域名解析,启动跟踪查询
# 将为example.com 域中的任何查询启用跟踪,但是不对example.com启动跟踪
rec_control trace-regex '.*\.example.com\.$'
内核优化,提高PowerDNS的转发服务器性能:
# 内核优化参数
echo "root soft nofile 65535" >> /etc/security/limits.conf
echo "root hard nofile 65535" >> /etc/security/limits.conf
echo "root soft nproc 65535" >> /etc/security/limits.conf
echo "root hard nproc 65535" >> /etc/security/limits.conf
echo "root soft memlock unlimited" >> /etc/security/limits.conf
echo "root hard memlock unlimited" >> /etc/security/limits.conf
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "* soft nproc 65535" >> /etc/security/limits.conf
echo "* hard nproc 65535" >> /etc/security/limits.conf
echo "* soft memlock unlimited" >> /etc/security/limits.conf
echo "* hard memlock unlimited" >> /etc/security/limits.conf
cp /etc/sysctl.conf /etc/sysctl.conf.bak
cat > /etc/sysctl.conf << EOF
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.router_solicitations = 0
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.all.dad_transmits = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.all.max_addresses = 1
net.ipv6.conf.default.max_addresses = 1
kernel.panic_on_oops = 1
kernel.panic = 10
vm.overcommit_memory = 1
net.core.somaxconn= 65535
fs.file-max= 1048576
fs.nr_open = 10000000
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 35000 65000
EOF
日常对权威服务器管理是最普遍的,而PowerDNS权威服务器也提供了一套命令行工具对权威服务器做基础管理 -- pdns_control
# 清除全部缓存
pdns_control purge
# 清除相关域名的所有记录,如 example.com 的子域,在名称后面加上 $
pdns_control purge example.com$
# 退出
pdns_control quit
# 查看版本
pdns_control version
更多详情请直接查看命令帮助 pdns_control --help
上面都是在说明DNS服务器侧的相关工具和排错方法,下面介绍下匹配dig但比dig更强大的工具,drill命令。
drill命令详解drill 是一种用于从 DNS 中获取各种信息的工具;它专门设计用于 DNS (SEC),比dig获取信息更多,功能强大。
由NLnet Labs提供,该实验室还维护一套DNS服务套件,如:NDS、UNBOUND、LDNS。其中drill就是LDNS中的一个工具。
安装说明:
#Ubuntu
apt-get install ldnsutils
#CentOS
yum install ldns
#mac OS
brew install ldns
命令语法:
# 命令语法
drill [ OPTIONS ] name [ @server ] [ type ] [ class ]
命令选项和命令查询选项就不展开,可直接man查看或者help。
drill命令示例:
drill 查找与主机名关联的 IP(A 记录):
$ drill hexun.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 62704
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; hexun.com. IN A
;; ANSWER SECTION:
hexun.com. 120 IN A 113.31.31.217
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 10 msec
;; SERVER: 8.8.4.4
;; WHEN: Tue Jan 3 14:07:52 2023
;; MSG SIZE rcvd: 43
drill 查找与给定域名(MX 记录)关联的邮件服务器:
$ drill mx mail.hexun.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 27230
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; mail.hexun.com. IN MX
;; ANSWER SECTION:
;; AUTHORITY SECTION:
hexun.com. 180 IN SOA ns3.dnsv4.com. enterprise2dnsadmin.dnspod.com. 1671699993 3600 180 1209600 180
;; ADDITIONAL SECTION:
;; Query time: 12 msec
;; SERVER: 8.8.4.4
;; WHEN: Tue Jan 3 14:19:23 2023
;; MSG SIZE rcvd: 105
drill 获取给定域名的所有类型的记录:
$ drill any staff.hexun.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 27230
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61229
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; staff.hexun.com. IN ANY
;; ANSWER SECTION:
staff.hexun.com. 600 IN A 60.28.250.158
staff.hexun.com. 120 IN MX 10 mxbiz2.qq.com.
staff.hexun.com. 120 IN MX 5 mxbiz1.qq.com.
staff.hexun.com. 120 IN TXT "v=spf1 include:spf.mail.qq.com ~all"
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 10 msec
;; SERVER: 8.8.8.8
;; WHEN: Tue Jan 3 14:21:14 2023
;; MSG SIZE rcvd: 146
drill 指定某个公共 DNS 服务器进行查询:
$ drill hostname.com @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 20589
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; hostname.com. IN A
;; ANSWER SECTION:
hostname.com. 900 IN A 194.42.98.134
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 1 msec
;; SERVER: 8.8.8.8
;; WHEN: Tue Jan 3 14:22:50 2023
;; MSG SIZE rcvd: 46
drill 在IP地址(PTR 记录)上执行反向 DNS 查找:
$ drill -x 8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 54572
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 8.8.8.8.in-addr.arpa. IN PTR
;; ANSWER SECTION:
8.8.8.8.in-addr.arpa. 4758 IN PTR dns.google.
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 8.8.8.8
;; WHEN: Tue Jan 3 14:25:17 2023
;; MSG SIZE rcvd: 62
drill 从根服务器到域名执行 DNSSEC 跟踪:比较慢
$ drill -TD hexun.com
Warning: No trusted keys were given. Will not be able to verify authenticity!
;; Domain: .
;; Signature ok but no chain to a trusted key or ds record
[S] . 172800 IN DNSKEY 256 3 8 ;{id = 26116 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD BvSnmnNHNmH2FjUE8= ;{id = 26116 (zsk), size = 2048b}
[S] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766
;; Domain: com.
;; Signature ok but no chain to a trusted key or ds record
[S] com. 86400 IN DNSKEY 256 3 8 ;{id = 24966 (zsk), size = 1280b}
com. 86400 IN DNSKEY 256 3 8 ;{id = 31510 (zsk), size = 1280b}
com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
[S] Existence denied: hexun.com. DS
;; No ds record for delegation
;; Domain: hexun.com.
;; No DNSKEY record found for hexun.com.
[U] hexun.com. 120 IN A 42.81.124.69
;;[S] self sig OK; [B] bogus; [T] trusted
drill 显示域名的 DNSKEY 记录:
$ drill -s dnskey hexun.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 22516
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; hexun.com. IN DNSKEY
;; ANSWER SECTION:
;; AUTHORITY SECTION:
hexun.com. 180 IN SOA ns3.dnsv4.com. enterprise2dnsadmin.dnspod.com. 1671699993 3600 180 1209600 180
;; ADDITIONAL SECTION:
;; Query time: 11 msec
;; SERVER: 8.8.8.8
;; WHEN: Tue Jan 3 14:30:50 2023
;; MSG SIZE rcvd: 100
drill工具还有更多高级应用,可自行摸索,也可加入群进行沟通交流。
,
