Do not forward private domains for upstream resolvers
Also fix kube log level 4 to log dnsmasq queries. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
This commit is contained in:
parent
e5ad0836bc
commit
5d643e92c4
4 changed files with 25 additions and 5 deletions
|
@ -38,6 +38,13 @@ or `8.8.8.8`. And domain is set to the default ``dns_domain`` value as well.
|
||||||
Later, the nameservers will be reconfigured to the DNS service IP that Kargo
|
Later, the nameservers will be reconfigured to the DNS service IP that Kargo
|
||||||
configures for K8s cluster.
|
configures for K8s cluster.
|
||||||
|
|
||||||
|
Important to note that multiple search domains combined with high ``ndots``
|
||||||
|
values lead to poor performance of DNS stack, so please choose it wise.
|
||||||
|
The dnsmasq daemon set can take lower ``ndots`` values and return NXDOMAIN
|
||||||
|
replies for [bogus internal FQDNS](https://github.com/kubernetes/kubernetes/issues/19634#issuecomment-253948954)
|
||||||
|
before it even hits the kubedns app. Which makes it to be serving as a guarding
|
||||||
|
recursive resolver in front of the kubedns running SkyDNS as an authoritative resolver.
|
||||||
|
|
||||||
DNS configuration details
|
DNS configuration details
|
||||||
-------------------------
|
-------------------------
|
||||||
|
|
||||||
|
@ -93,8 +100,7 @@ Limitations
|
||||||
[no way to specify a custom value](https://github.com/kubernetes/kubernetes/issues/33554)
|
[no way to specify a custom value](https://github.com/kubernetes/kubernetes/issues/33554)
|
||||||
for the SkyDNS ``ndots`` param via an
|
for the SkyDNS ``ndots`` param via an
|
||||||
[option for KubeDNS](https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-dns/app/options/options.go)
|
[option for KubeDNS](https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-dns/app/options/options.go)
|
||||||
add-on, while SkyDNS supports it though. Thus, DNS SRV records may not work
|
add-on, while SkyDNS supports it though.
|
||||||
as expected as they require the ``ndots:7``.
|
|
||||||
|
|
||||||
* the ``searchdomains`` have a limitation of a 6 names and 256 chars
|
* the ``searchdomains`` have a limitation of a 6 names and 256 chars
|
||||||
length. Due to default ``svc, default.svc`` subdomains, the actual
|
length. Due to default ``svc, default.svc`` subdomains, the actual
|
||||||
|
|
|
@ -7,6 +7,8 @@ addn-hosts=/etc/hosts
|
||||||
strict-order
|
strict-order
|
||||||
# Forward k8s domain to kube-dns
|
# Forward k8s domain to kube-dns
|
||||||
server=/{{ dns_domain }}/{{ skydns_server }}
|
server=/{{ dns_domain }}/{{ skydns_server }}
|
||||||
|
# Reply NXDOMAIN to private/internal domains requests
|
||||||
|
local=/internal./local./lc./{{ private_domains }}
|
||||||
|
|
||||||
#Set upstream dns servers
|
#Set upstream dns servers
|
||||||
{% if upstream_dns_servers is defined %}
|
{% if upstream_dns_servers is defined %}
|
||||||
|
@ -17,7 +19,7 @@ server={{ srv }}
|
||||||
server={{ default_resolver }}
|
server={{ default_resolver }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if kube_log_level == 4 %}
|
{% if kube_log_level == '4' %}
|
||||||
log-queries
|
log-queries
|
||||||
{% endif %}
|
{% endif %}
|
||||||
bogus-priv
|
bogus-priv
|
||||||
|
|
|
@ -78,8 +78,16 @@ spec:
|
||||||
- --log-facility=-
|
- --log-facility=-
|
||||||
- --cache-size=1000
|
- --cache-size=1000
|
||||||
- --no-resolv
|
- --no-resolv
|
||||||
- --server=127.0.0.1#10053
|
- --server=/{{ dns_domain }}/127.0.0.1#10053
|
||||||
{% if kube_log_level == 4 %}
|
- --local=/internal./local./lc./{{ private_domains }}
|
||||||
|
{% if upstream_dns_servers is defined %}
|
||||||
|
{% for srv in upstream_dns_servers %}
|
||||||
|
- --server={{ srv }}
|
||||||
|
{% endfor %}
|
||||||
|
{% else %}
|
||||||
|
- --server={{ default_resolver }}
|
||||||
|
{% endif %}
|
||||||
|
{% if kube_log_level == '4' %}
|
||||||
- --log-queries
|
- --log-queries
|
||||||
{% endif %}
|
{% endif %}
|
||||||
ports:
|
ports:
|
||||||
|
|
|
@ -50,5 +50,9 @@
|
||||||
- set_fact:
|
- set_fact:
|
||||||
etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
|
etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
|
||||||
- set_fact:
|
- set_fact:
|
||||||
|
private_domains: |-
|
||||||
|
{% for d in [ 'default.svc.' + dns_domain, 'svc.' + dns_domain ] + searchdomains|default([]) -%}
|
||||||
|
{{dns_domain}}.{{d}}./{{d}}.{{d}}./com.{{d}}./
|
||||||
|
{%- endfor %}
|
||||||
default_resolver: >-
|
default_resolver: >-
|
||||||
{%- if cloud_provider is defined and cloud_provider == 'gce' -%}169.254.169.254{%- else -%}8.8.8.8{%- endif -%}
|
{%- if cloud_provider is defined and cloud_provider == 'gce' -%}169.254.169.254{%- else -%}8.8.8.8{%- endif -%}
|
||||||
|
|
Loading…
Reference in a new issue