[ci skip] Replace specific CoreDNS catch-all blocks with generic template regex
Single template regex in the viktorbarzin.lan block catches ALL search domain expansion junk (*.com.viktorbarzin.lan, *.cluster.local.viktorbarzin.lan, etc.) instead of needing separate server blocks per pattern. Legitimate single-label queries (idrac.viktorbarzin.lan) fall through to Technitium.
This commit is contained in:
parent
f06b3ac0e4
commit
530986e3c6
1 changed files with 10 additions and 22 deletions
|
|
@ -20,10 +20,11 @@ module "tls_secret" {
|
||||||
|
|
||||||
# CoreDNS Corefile - manages cluster DNS resolution
|
# CoreDNS Corefile - manages cluster DNS resolution
|
||||||
# The viktorbarzin.lan block forwards to Technitium via LoadBalancer.
|
# The viktorbarzin.lan block forwards to Technitium via LoadBalancer.
|
||||||
# The cluster.local.viktorbarzin.lan and viktorbarzin.lan.viktorbarzin.lan blocks
|
# A template regex in the viktorbarzin.lan block short-circuits junk queries
|
||||||
# short-circuit junk queries caused by ndots:5 search domain expansion
|
# caused by ndots:5 search domain expansion (e.g. www.cloudflare.com.viktorbarzin.lan,
|
||||||
# (e.g. redis.redis.svc.cluster.local.viktorbarzin.lan, idrac.viktorbarzin.lan.viktorbarzin.lan)
|
# redis.redis.svc.cluster.local.viktorbarzin.lan) by returning NXDOMAIN for any
|
||||||
# which would otherwise flood Technitium with NxDomain queries.
|
# query with 2+ labels before .viktorbarzin.lan. Legitimate single-label queries
|
||||||
|
# (e.g. idrac.viktorbarzin.lan) fall through to Technitium.
|
||||||
resource "kubernetes_config_map" "coredns" {
|
resource "kubernetes_config_map" "coredns" {
|
||||||
metadata {
|
metadata {
|
||||||
name = "coredns"
|
name = "coredns"
|
||||||
|
|
@ -56,27 +57,14 @@ resource "kubernetes_config_map" "coredns" {
|
||||||
reload
|
reload
|
||||||
loadbalance
|
loadbalance
|
||||||
}
|
}
|
||||||
cluster.local.viktorbarzin.lan:53 {
|
|
||||||
errors
|
|
||||||
template ANY ANY {
|
|
||||||
rcode NXDOMAIN
|
|
||||||
}
|
|
||||||
cache {
|
|
||||||
denial 10000 3600
|
|
||||||
}
|
|
||||||
}
|
|
||||||
viktorbarzin.lan.viktorbarzin.lan:53 {
|
|
||||||
errors
|
|
||||||
template ANY ANY {
|
|
||||||
rcode NXDOMAIN
|
|
||||||
}
|
|
||||||
cache {
|
|
||||||
denial 10000 3600
|
|
||||||
}
|
|
||||||
}
|
|
||||||
viktorbarzin.lan:53 {
|
viktorbarzin.lan:53 {
|
||||||
#log
|
#log
|
||||||
errors
|
errors
|
||||||
|
template ANY ANY viktorbarzin.lan {
|
||||||
|
match ".*\..*\.viktorbarzin\.lan\.$"
|
||||||
|
rcode NXDOMAIN
|
||||||
|
fallthrough
|
||||||
|
}
|
||||||
forward . 10.0.20.204 # Technitium LoadBalancer
|
forward . 10.0.20.204 # Technitium LoadBalancer
|
||||||
cache {
|
cache {
|
||||||
success 10000 300 6
|
success 10000 300 6
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue