Each DNS query from a Kubernetes Pod takes the following path:
cluster.local
zone are forwarded to CoreDNS or responded to from the cache./etc/resolv.conf
). See below.A large amount of DNS queries can overload CoreDNS or lead to higher latency.
That's why MetaKube Core installs a local DNS cache resolver on each node.
node-local-dns
DaemonSet in the kube-system
namespace and also runs CoreDNS, but with different configuration.169.254.20.10:53
with UDP & TCP on a dummy interface nodelocaldns
./etc/resolve.conf
file.cluster.local
domain are forwarded to CoreDNS and results cached./etc/resolv.conf
configuration, see external names.For additional configuration, see extending CoreDNS configuration below.
coredns
in the kube-system
namespace.10.240.16.10
).For additional configuration, see extending CoreDNS configuration below.
You can find more information about the kinds of records CoreDNS serves and how you can use CoreDNS in the official Kubernetes documentation.
Queries for names not in the cluster.local
domain are not answered by CoreDNS.
They use the following resolvers/servers:
127.0.0.53:53
Queries coming from the host directly (not from Pods) don't go to CoreDNS.
E.g. dig kubernetes.svc.cluster.local
resolves from a Pod, but not the host.
You can extend the configuration of both, node local DNS cache or CoreDNS.
To do so, create a Config Map coredns-extra-configs
or node-local-dns-extra-configs
respectively in the kube-system
namespace.
It must contain a valid CoreDNS style configuration file under the Corefile
key.
apiVersion: v1
kind: ConfigMap
metadata:
name: node-local-dns-extra-configs
namespace: kube-system
data:
Corefile: |
example.com {
bind 169.254.20.10
forward . 1.2.3.4
}
With this configuration, node local DNS will forward queries for names under the example.com
domain to 1.2.3.4
.
Changes to the Config Maps won't immediately take effect.
To load the new configuration, you must recreate the Pods:
kubectl --namespace kube-system rollout restart deployment coredns
kubectl --namespace kube-system rollout restart daemonset node-local-dns
When you add another listener to the node local DNS cache, you must use the bind
directive to only listen on the nodelocaldns
interface or its IP.
If not, CoreDNS will listen on the wildcard host (all addresses) which includes the local cache resolver of systemd-resolved.
Since that's already listening on port 53
on 127.0.0.53
, CoreDNS will fail, complaining that the port is already in use.