Cross-domain CNAME records are not being resolved to IP addreses
In a pursuit of DNS management automation (DNS management via web UI / HTTP API), we've chosen Knot for resolver. But seems to lack (or could not find in docs) a feature which would allow us to create CNAME records from internal to external zones. We're currently using Bind where following works fine:
service1.internal.eu. IN CNAME publicservice.external.com.
What I'd expect is: Knot resolver asks our internal authoritative DNS (PowerDNS) for service1.internal.eu.
, returning a CNAME publicservice.external.com.
if CNAME suffix/pattern is not matched by other policies, then attempted to ask public DNS (like 8.8.8.8, 1.1.1.1, ...) for an IP address resolution, returning result to a client.
What's happening is: Knot resolver asks our internal authoritative DNS for service1.internal.eu.
, returning CNAME publicservice.external.com.
and satisfied forwards back to client unresolved.
Other queries to internal domains seem to work fine (incl. ones defined as
service1.internal.eu. IN CNAME service1a.internal.eu.
service1a.internal.eu. IN A 1.2.3.4
)
Reason why we do it this way is because we want to give "public" (read: cloud-based) service used internally a meaningful name instead of something like auiewrthuiasdvbjas123juiahgi.cloudfront.net
, managed internally or we simply don't know the public IP of a service - sort of similar case really when service is publicly proxied by CloudFlare or similar service and therefore we'd have to check A
record every once in a while if it changed or not.
Contents of /etc/knot-resolver/kresd.conf
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('1.2.3.4', 53, { kind = 'dns' })
-- Logging
log_level('debug')
log_target('stdout')
-- Load useful modules
modules = {
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
'view', -- restrict IP adresses
}
-- Cache size
cache.size = 100 * MB
internalDomains = policy.todnames({'internal.eu.', 'veryinternal.eu.','in-addr.arpa.'})
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), internalDomains))
policy.add(policy.suffix(policy.STUB({'127.0.0.1@5353'}), internalDomains))
policy.add(policy.pattern(policy.FORWARD({'8.8.8.8'}), '.*'))```