大家好,见字如面,我是小斐,本篇主要介绍维护Powerdns服务器套件工具和排错指北。
关于安装和配置请看 # DNS从入门到放弃系列
背景说明
- DNS服务器日常维护用到的工具和技巧
- DNS服务器日常问题排错记录
服务器排错记录
Q:转发(递归)服务器无法转发权威A记录?
A:
主要架构:dnsdist(53) <–> pdns-recursor(553) <–> pdns(53),其中dnsdist和pdns-recursor搭建在同一台服务器中,pdns单独一台服务器,在搭建配置好后,在客户端dig 权威A记录,没有ANSWER SECTION,测试权威服务器和dnsdist发现都是正常,那么定位到递归服务器中,经过研究,pdns-recursor默认开启DNSSEC设置,PowerDNS Recursor 4.5.0 默认模式 process。
官方说明:
https://link.zhihu.com/?target=https://docs.powerdns.com/recursor/dnssec.html
排错修复:
# 关闭DNSSECdnssec=off
dnsdist域名欺骗
dnsdist作为PowerDNS的服务套件之一,客户端侧通常使用dnsdist服务的暴露端口进行DNS负载查询,简单基础架构如下:
客户端上设置两个DNS服务IP,DNS客户端出现解析某个特定域名出错的问题,如域名 dev.test.itkmi.com。
其他三级子域名没有问题,如:node.test.itkmi.com,测试下来仅仅是 dev.test.itkmi.com 的域名解析出错,这些域名的A记录RR在 172.17.10.100 权威服务器上,客户端中设置 172.17.10.10的DNS服务IP,使用工具 drill dev.test.itkmi.com 的域名解析记录就是错误。
故在此可以使用排除法,排除掉权威域名服务器的问题,那我把问题点就转移到转发服务器和负载均衡器上找问题,而通过其他域名的反复测试,发现转发服务器正常把域名递归转发到权威域名服务器中,基本上可以排除转发服务器问题,最后在负载均衡器中找到问题。
dnsdist中有个域名欺骗的功能,而在配置文件中,刚好就把 dev.test.itkmi.com的域名进行域名欺骗,导致权威解析无法生效,如下配置:
-- 域名欺骗 dnsdist 1.3版本之前写法addDomainSpoof("dev.test.itkmi.com", "xxx.xxx.xxx.xxx")-- 修复 注释域名欺骗-- addDomainSpoof("dev.test.itkmi.com", "xxx.xxx.xxx.xxx")
上面所示域名欺骗服务,配置文件写法在新的版本中 dnsdist 1.3之后版本进行的修改:
-- 域名欺骗 dnsdist 1.3版本之后写法addAction(AndRule({QNameRule('dev.test.itkmi.com.'), QTypeRule(DNSQType.A)}), SpoofAction("xxx.xxx.xxx.xxx"))
bind 转发和主从引起的解析混乱问题
架构如下:
上图架构是最终正确的架构,引起客户端解析混乱的问题如下:当服务器192.168.109.32是itkmi.com的从服务器时,而不是转发服务器时,由于同步了线上itkmi.com的主从服务器配置,而导致itkmi.com的192.168.109.32把172.20.64.239盒172.20.65.239作为master,进行主从同步,而服务器和172.20.65.239又另外维护一套itkmi.com泛域名解析记录,导致线下客户端进行同一个域名解析会时而这个IP,时而另外一个IP记录,解析混乱。
解决办法:在192.168.109.32服务器上,修改配置文件,把itkmi.com的 type salve修改为转发即可。
zone "itkmi.com" { #type slave; #masterfile-format text; #masters { 172.20.64.239;172.20.65.239; }; #file "zone/itkmi.com.zone"; type forward; forwarders { 172.20.64.239; };};
转发服务器不停机清理缓存
PowerDNS的递归或转发服务器,也就是PowerDNS Recursor,转发服务器或递归服务器,或多或少都会带有缓存信息,而做为日常维护DNS服务器管理员来看,清理缓存就是时常需要做的。
需求:对转发或递归服务器做缓存管理,递归器一般都是根据TTL值进行缓存的,如需快速清理,可执行下面命令:
# 清除 www.example.com 域名缓存rec_control wipe-cache www.example.com# 如果需要清除相关域名的所有记录,如某些子域 example.com的子域,在名称后面加上 $ rec_control wipe-cache example.com$
需求:当需要对某个域名记录做调试,检查DNS缓存记录,我们可以把某个缓存记录转存到某个文件中进行检索
# DNS缓存记录转存rec_control dump-cache /tmp/cache
需求:有时候域名会解析失败,为了查找原因,需要跟踪域名解析,启动跟踪查询
# 将为example.com 域中的任何查询启用跟踪,但是不对example.com启动跟踪rec_control trace-regex '.*.example.com.$'
PowerDNS转发服务器内核优化
内核优化,提高PowerDNS的转发服务器性能:
# 内核优化参数echo "root soft nofile 65535" >> /etc/security/limits.confecho "root hard nofile 65535" >> /etc/security/limits.confecho "root soft nproc 65535" >> /etc/security/limits.confecho "root hard nproc 65535" >> /etc/security/limits.confecho "root soft memlock unlimited" >> /etc/security/limits.confecho "root hard memlock unlimited" >> /etc/security/limits.confecho "* soft nofile 65535" >> /etc/security/limits.confecho "* hard nofile 65535" >> /etc/security/limits.confecho "* soft nproc 65535" >> /etc/security/limits.confecho "* hard nproc 65535" >> /etc/security/limits.confecho "* soft memlock unlimited" >> /etc/security/limits.confecho "* hard memlock unlimited" >> /etc/security/limits.confcp /etc/sysctl.conf /etc/sysctl.conf.bakcat > /etc/sysctl.conf << EOFnet.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0net.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1net.ipv4.ip_forward = 1net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0net.ipv6.conf.all.router_solicitations = 0net.ipv6.conf.default.router_solicitations = 0net.ipv6.conf.all.dad_transmits = 0net.ipv6.conf.default.dad_transmits = 0net.ipv6.conf.all.max_addresses = 1net.ipv6.conf.default.max_addresses = 1kernel.panic_on_oops = 1kernel.panic = 10vm.overcommit_memory = 1net.core.somaxconn= 65535fs.file-max= 1048576fs.nr_open = 10000000net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1kernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 68719476736kernel.shmall = 4294967296net.ipv4.tcp_max_tw_buckets = 6000net.ipv4.tcp_sack = 1net.ipv4.tcp_window_scaling = 1net.ipv4.tcp_rmem = 10240 87380 12582912net.ipv4.tcp_wmem = 10240 87380 12582912net.core.wmem_default = 8388608net.core.rmem_default = 8388608net.core.rmem_max = 16777216net.core.wmem_max = 16777216net.core.netdev_max_backlog = 262144net.ipv4.tcp_max_orphans = 3276800net.ipv4.tcp_max_syn_backlog = 262144net.ipv4.tcp_timestamps = 0net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_mem = 94500000 915000000 927000000net.ipv4.tcp_fin_timeout = 1net.ipv4.tcp_keepalive_time = 30net.ipv4.ip_local_port_range = 35000 65000EOF
权威服务器管理工具
日常对权威服务器管理是最普遍的,而PowerDNS权威服务器也提供了一套命令行工具对权威服务器做基础管理 — pdns_control
# 清除全部缓存pdns_control purge# 清除相关域名的所有记录,如 example.com 的子域,在名称后面加上 $ pdns_control purge example.com$# 退出pdns_control quit# 查看版本pdns_control version
更多详情请直接查看命令帮助 pdns_control –help
上面都是在说明DNS服务器侧的相关工具和排错方法,下面介绍下匹配dig但比dig更强大的工具,drill命令。
drill命令详解
drill 是一种用于从 DNS 中获取各种信息的工具;它专门设计用于 DNS (SEC),比dig获取信息更多,功能强大。
由NLnet Labs提供,该实验室还维护一套DNS服务套件,如:NDS、UNBOUND、LDNS。其中drill就是LDNS中的一个工具。
安装说明:
#Ubuntuapt-get install ldnsutils#CentOSyum install ldns#mac OSbrew install ldns
命令语法:
# 命令语法drill [ OPTIONS ] name [ @server ] [ type ] [ class ]
命令选项和命令查询选项就不展开,可直接man查看或者help。
drill命令示例:
drill 查找与主机名关联的 IP(A 记录):
$ drill hexun.com;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 62704;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:;; hexun.com. IN A;; ANSWER SECTION:hexun.com. 120 IN A 113.31.31.217;; AUTHORITY SECTION:;; ADDITIONAL SECTION:;; Query time: 10 msec;; SERVER: 8.8.4.4;; WHEN: Tue Jan 3 14:07:52 2023;; MSG SIZE rcvd: 43
drill 查找与给定域名(MX 记录)关联的邮件服务器:
$ drill mx mail.hexun.com;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 27230;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION:;; mail.hexun.com. IN MX;; ANSWER SECTION:;; AUTHORITY SECTION:hexun.com. 180 IN SOA ns3.dnsv4.com. enterprise2dnsadmin.dnspod.com. 1671699993 3600 180 1209600 180;; ADDITIONAL SECTION:;; Query time: 12 msec;; SERVER: 8.8.4.4;; WHEN: Tue Jan 3 14:19:23 2023;; MSG SIZE rcvd: 105
drill 获取给定域名的所有类型的记录:
$ drill any staff.hexun.com;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 27230;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION:;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61229;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:;; staff.hexun.com. IN ANY;; ANSWER SECTION:staff.hexun.com. 600 IN A 60.28.250.158staff.hexun.com. 120 IN MX 10 mxbiz2.qq.com.staff.hexun.com. 120 IN MX 5 mxbiz1.qq.com.staff.hexun.com. 120 IN TXT "v=spf1 include:spf.mail.qq.com ~all";; AUTHORITY SECTION:;; ADDITIONAL SECTION:;; Query time: 10 msec;; SERVER: 8.8.8.8;; WHEN: Tue Jan 3 14:21:14 2023;; MSG SIZE rcvd: 146
drill 指定某个公共 DNS 服务器进行查询:
$ drill hostname.com @8.8.8.8;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 20589;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:;; hostname.com. IN A;; ANSWER SECTION:hostname.com. 900 IN A 194.42.98.134;; AUTHORITY SECTION:;; ADDITIONAL SECTION:;; Query time: 1 msec;; SERVER: 8.8.8.8;; WHEN: Tue Jan 3 14:22:50 2023;; MSG SIZE rcvd: 46
drill 在IP地址(PTR 记录)上执行反向 DNS 查找:
$ drill -x 8.8.8.8;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 54572;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:;; 8.8.8.8.in-addr.arpa. IN PTR;; ANSWER SECTION:8.8.8.8.in-addr.arpa. 4758 IN PTR dns.google.;; AUTHORITY SECTION:;; ADDITIONAL SECTION:;; Query time: 0 msec;; SERVER: 8.8.8.8;; WHEN: Tue Jan 3 14:25:17 2023;; MSG SIZE rcvd: 62
drill 从根服务器到域名执行 DNSSEC 跟踪:比较慢
$ drill -TD hexun.comWarning: No trusted keys were given. Will not be able to verify authenticity!;; Domain: .;; Signature ok but no chain to a trusted key or ds record[S] . 172800 IN DNSKEY 256 3 8 ;{id = 26116 (zsk), size = 2048b}. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}Checking if signing key is trusted:New key: . 172800 IN DNSKEY 256 3 8 AwEAAfC/6HLClwss6h7rPfoG2cliv4/SPJRd2HPEglRsvKZRbPP2RLfiobeAkczcdqaD5q8loEt14lcTgDqwzOISZ3YvSVkM4JRMFwKzcjukKo5CsDVbMmhTD0C0yxWICRQ1M Y5/XkZAT7mt4cb3fWcN9xgyq1wEXQX zdLQHrNEVQSiL5SoA5cOtCSoQ45n8bKDXdw/0jjP9Rw1FVKsdzLVkQSrVMm8k30WUkHm/SK/n/954KENkdQOA6Li2vO9nicQdegyAkDeNJCdPN/p3jEhCTQLyO4AlAmyaPcDHeeo7OXr/VsYu4NTDde9hBuS0zx/rewD BvSnmnNHNmH2FjUE8= ;{id = 26116 (zsk), size = 2048b}[S] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ;; Domain: com.;; Signature ok but no chain to a trusted key or ds record[S] com. 86400 IN DNSKEY 256 3 8 ;{id = 24966 (zsk), size = 1280b}com. 86400 IN DNSKEY 256 3 8 ;{id = 31510 (zsk), size = 1280b}com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}[S] Existence denied: hexun.com. DS;; No ds record for delegation;; Domain: hexun.com.;; No DNSKEY record found for hexun.com.[U] hexun.com. 120 IN A 42.81.124.69;;[S] self sig OK; [B] bogus; [T] trusted
drill 显示域名的 DNSKEY 记录:
$ drill -s dnskey hexun.com;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 22516;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION:;; hexun.com. IN DNSKEY;; ANSWER SECTION:;; AUTHORITY SECTION:hexun.com. 180 IN SOA ns3.dnsv4.com. enterprise2dnsadmin.dnspod.com. 1671699993 3600 180 1209600 180;; ADDITIONAL SECTION:;; Query time: 11 msec;; SERVER: 8.8.8.8;; WHEN: Tue Jan 3 14:30:50 2023;; MSG SIZE rcvd: 100
drill工具还有更多高级应用,可自行摸索,也可加入群进行沟通交流。
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。