Skydns on Miek Gieben

Debug Queries in CoreDNS with the etcd Middleware

Sun, 22 May 2016 21:32:35 +0100

Let’s say you have some data in etcd and use CoreDNS for service discovery. The Corefile looks like this:

.:53 {
    etcd skydns.local {
        stubzones
        path /skydns
        endpoint http://localhost:2379
        upstream 8.8.8.8:53 8.8.4.4:53
        debug  # <-- new, purpose of this blog
    }
}

You test with dig and you get the result below and you’re asking yourself wth is this happening? If you have access to etcd directly you can use etcdctl, if not you’re basically stuck.

SkyDNS in CoreDNS

Thu, 24 Mar 2016 18:31:18 +0000

The etcd middleware is shaping up nicely. With the following Corefile you already have a big chunk of the SkyDNS funcionality:

.:1053 {
    errors
    etcd skydns.local
    proxy . 8.8.8.8:53
}

Which says, run on port 1053, accept queries for all zones, if the zone matches skydns.local. go look in etcd, if it doesn’t forward to GOOG. Multiple zones should work as well, but this is not tested as of yet.

Let’s test this with the examples from SkyDNS' README. Let’s add all the rails production sites. (Why does this use rails btw?)

SkyDNS running live

Sat, 28 Jun 2014 09:02:00 +0000

SkyDNS is able to do DNSSEC. It generates signatures and NSEC3 records on the fly. For authenticated denial of existence SkyDNS uses NSEC3 white lies, of course implementing (and testing!) this isn’t completely trivial.

To aid in debugging I’ve setup a live version of SkyDNS on voordeur.atoom.net, under the name the zone http://dnssex.nl:

% dig +mul +noall +answer @voordeur.atoom.net soa skydns.dnssex.nl
skydns.dnssex.nl.    3600 IN SOA ns1.dns.skydns.dnssex.nl. hostmaster.skydns.local. (
                            1403942400 ; serial
                            28800      ; refresh (8 hours)
                            7200       ; retry (2 hours)
                            604800     ; expire (1 week)
                            60         ; minimum (1 minute)
                            )

To help getting DNSSEC support 100% working this zone has been delegated and has an DS record in the parent zone. With unbound-host you can see the validation status of this zone:

SkyDNS version 2

Sun, 08 Jun 2014 12:46:00 +0000

SkyDNS version 1 was announced some time ago, since then it has seen some developments, which resulted in SkyDNS version 2. This new version uses Etcd as its backend. This blog post will walk you through the installation and shows how to use it.

What?!

SkyDNS(2) is a service discovery tool that utilizes the DNS to find hosts in a distributed environment. But using DNS means “legacy” clients can be used. Want to know if you MariaDB cluster is still up? ping mariadb.skydns.local can be used for that. By default SkyDNS will use skydns.local. as the domain to anchor all names.