[ci skip] Manage CoreDNS Corefile in Terraform and block junk NxDomain queries
Add kubernetes_config_map for CoreDNS to the technitium module, with a template block for cluster.local.viktorbarzin.lan that returns NXDOMAIN immediately. This prevents ndots:5 search domain expansion from flooding Technitium with ~66k/day junk queries (e.g. redis.redis.svc.cluster.local.viktorbarzin.lan). Also enabled saveCache on Technitium so the DNS cache persists across pod restarts.
This commit is contained in:
parent
2db6e96115
commit
c0a18c9c57
1 changed files with 59 additions and 0 deletions
|
|
@ -18,6 +18,65 @@ module "tls_secret" {
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# CoreDNS Corefile - manages cluster DNS resolution
|
||||||
|
# The viktorbarzin.lan block forwards to Technitium via NodePort.
|
||||||
|
# The cluster.local.viktorbarzin.lan block short-circuits junk queries caused by
|
||||||
|
# ndots:5 search domain expansion (e.g. redis.redis.svc.cluster.local.viktorbarzin.lan)
|
||||||
|
# which would otherwise flood Technitium with NxDomain queries.
|
||||||
|
resource "kubernetes_config_map" "coredns" {
|
||||||
|
metadata {
|
||||||
|
name = "coredns"
|
||||||
|
namespace = "kube-system"
|
||||||
|
}
|
||||||
|
|
||||||
|
data = {
|
||||||
|
Corefile = <<-EOF
|
||||||
|
.:53 {
|
||||||
|
#log
|
||||||
|
errors
|
||||||
|
health {
|
||||||
|
lameduck 5s
|
||||||
|
}
|
||||||
|
ready
|
||||||
|
kubernetes cluster.local in-addr.arpa ip6.arpa {
|
||||||
|
pods insecure
|
||||||
|
fallthrough in-addr.arpa ip6.arpa
|
||||||
|
ttl 30
|
||||||
|
}
|
||||||
|
prometheus :9153
|
||||||
|
#forward . 1.1.1.1
|
||||||
|
forward . 10.0.20.1
|
||||||
|
#forward . /etc/resolv.conf
|
||||||
|
cache {
|
||||||
|
success 10000 300 6
|
||||||
|
denial 10000 300 60
|
||||||
|
}
|
||||||
|
loop
|
||||||
|
reload
|
||||||
|
loadbalance
|
||||||
|
}
|
||||||
|
cluster.local.viktorbarzin.lan:53 {
|
||||||
|
errors
|
||||||
|
template ANY ANY {
|
||||||
|
rcode NXDOMAIN
|
||||||
|
}
|
||||||
|
cache {
|
||||||
|
denial 10000 3600
|
||||||
|
}
|
||||||
|
}
|
||||||
|
viktorbarzin.lan:53 {
|
||||||
|
#log
|
||||||
|
errors
|
||||||
|
forward . 10.0.20.101:30053 # Technitium NodePort
|
||||||
|
cache {
|
||||||
|
success 10000 300 6
|
||||||
|
denial 10000 300 60
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "kubernetes_deployment" "technitium" {
|
resource "kubernetes_deployment" "technitium" {
|
||||||
# resource "kubernetes_daemonset" "technitium" {
|
# resource "kubernetes_daemonset" "technitium" {
|
||||||
metadata {
|
metadata {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue