Hi @CentralCommand, I’ve been able to root cause the runaway DNS queries as a result of what I call infinite looping configuration in /etc/corefile. The lines of configuration that are contributing to this issue are loop, fallback REFUSED,NXDOMAIN, and max_fails 0. Here’s what happens:
-
CoreDNS starts and executes the
loopplugin, which sends a query for<random number>.<random number>.zonethat gets forwarded externally and the Root Servers respond withNXDOMAIN. -
CoreDNS triggers the
fallbackplugin due to theNXDOMAINresponse. -
CoreDNS now sends all queries, including health_check (
NS IN .), to Cloudflare over TLS. -
User’s firewall blocks DNS over TLS (TCP 853).
-
CoreDNS triggers the
fallbackplugin due to theREFUSEDresponse. -
Since
max_fails 0is set, CoreDNS assumes Cloudflare is always healthy. -
CoreDNS is now in an infinite loop continuously sending and retrying its health_check query.
Initial thoughts for a PR to fix this are:
- HINFO query from the
loopplugin should not trigger fallback. - Allow users to specify whether or not to use DNS or TLS when configuring the plugin-dns container.
- Don’t assume Cloudflare will always be available.
- [Unrelated]: Remove
policy sequentialso not to overload a single user’s DNS server.
Although, before reworking this configuration, is the narrative on why plugin-dns exists in the first place is to provide continuous access to well-functioning and available DNS servers?