All Products
Search
Document Center

Container Service for Kubernetes:Configure DNS resolution

Last Updated:Aug 18, 2023

This topic introduces how Domain Name System (DNS) resolution works in Container Service for Kubernetes (ACK) clusters, and describes how to configure DNS policies to meet different business requirements in various scenarios.

Prerequisites

Before you configure the pre-installed DNS server, make sure that you have completed the following steps:

Background information

By default, a Service named kube-dns is deployed in an ACK cluster to provide DNS resolution services for the cluster. You can run the following command to query information about the kube-dns Service:

kubectl get svc kube-dns -n kube-system

Expected output:

NAME       TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                  AGE
kube-dns   ClusterIP   172.24.0.10   <none>        53/UDP,53/TCP,9153/TCP   27d

Two backend pods named coredns are deployed for the kube-dns Service. You can run the following command to query information about the coredns pods:

kubectl get deployment coredns -n kube-system

Expected output:

NAME      READY   UP-TO-DATE   AVAILABLE   AGE
coredns   2/2     2            2           27d

How DNS resolution works in ACK clusters

The startup parameters of kubelet in an ACK cluster include --cluster-dns=<dns-service-ip> and --cluster-domain=<default-local-domain>. These parameters are used to configure the IP address and the suffix of the base domain name for the DNS server in the ACK cluster.

The DNS configuration file in the pod is /etc/resolv.conf. The file contains the following content:

nameserver xx.xx.0.10
search kube-system.svc.cluster.local svc.cluster.local cluster.local
options ndots:5

Parameter

Description

nameserver

Specifies the IP addresses of the DNS servers.

search

Specifies the suffixes that are used for DNS queries. More suffixes indicate more DNS queries. For ACK clusters, suffixes are kube-system.svc.cluster.local, svc.cluster.local, and cluster.local. Therefore, up to eight queries (four for an IPv4 address and four for an IPv6 address) are generated for a request that is sent to an ACK cluster.

options

Specifies the options for the DNS configuration file. You can specify multiple key-value pairs. For example, ndots:5 specifies that if the number of dots in the domain name string is greater than 5, the domain name is a fully qualified domain name and is directly resolved. If the number of dots in the domain name string is less than 5, the domain name is appended with the suffixes specified by the search parameter before it is resolved.

According to the preceding settings, DNS queries of internal domain names and external domain names are sent to the DNS servers of an ACK cluster for DNS resolution.

Use dnsPolicy to configure DNS policies for an ACK cluster in different scenarios

You can use the dnsPolicy parameter to specify different DNS policies among pods. ACK clusters support the following DNS policies:

  • ClusterFirst: This policy indicates that a pod uses CoreDNS to resolve domain names. The /etc/resolv.conf file contains the address of the DNS server that is provided by CoreDNS, which is kube-dns. This is the default DNS policy for workloads in an ACK cluster.

  • None: This policy indicates that a pod ignores the DNS settings of the ACK cluster. You must customize the DNS settings by using the dnsConfig field.

  • Default: This policy indicates that a pod inherits the DNS settings from the node where the pod is deployed. In an ACK cluster, nodes are created based on Elastic Compute Service (ECS) instances. Therefore, a pod directly uses the /etc/resolv.conf file of the ECS instance-based node where the pod is deployed. This file contains the address of a DNS server that is provided by Alibaba Cloud DNS.

  • ClusterFirstWithHostNet: This policy indicates that a pod in HostNetwork mode uses the ClusterFirst policy. If you do not specify a policy for a pod, the pod uses the Default policy.

You can use the preceding DNS policies to meet different business requirements in various scenarios.

  • Scenario 1: Use CoreDNS provided by ACK clusters to resolve domain names

    In this scenario, you must specify dnsPolicy: ClusterFirst for the DNS policy settings. Example:

    apiVersion: v1
    kind: Pod
    metadata:
      name: alpine
      namespace: default
    spec:
      containers:
      - image: alpine
        command:
          - sleep
          - "10000"
        imagePullPolicy: Always
        name: alpine
      dnsPolicy: ClusterFirst
  • Scenario 2: Customize DNS settings for a pod

    To customize DNS settings for a Deployment, you must specify dnsPolicy: None for the DNS policy settings. Example:

    apiVersion: v1
    kind: Pod
    metadata:
      name: alpine
      namespace: default
    spec:
      containers:
      - image: alpine
        command:
          - sleep
          - "10000"
        imagePullPolicy: Always
        name: alpine
      dnsPolicy: None
      dnsConfig:
        nameservers: ["169.254.xx.xx"]
        searches:
        - default.svc.cluster.local
        - svc.cluster.local
        - cluster.local
        options:
        - name: ndots
          value: "2"

    The following table describes the parameters in the dnsConfig section.

    Parameter

    Description

    nameservers

    A list of IP addresses of DNS servers for the pod. You can specify up to three IP addresses. If you set dnsPolicy to None for a pod, you must specify at least one IP address. If you do not set dnsPolicy to None for a pod, this parameter is optional. The listed DNS server IP addresses will be added to the nameserver field of the DNS configuration file that is generated based on the value of dnsPolicy. Duplicate IP addresses are removed.

    searches

    A list of DNS search domains for hostname lookup in the pod. This parameter is optional. The listed DNS search domains will be added to the list of base search domains that are generated based on the specified DNS policy. Duplicate domain names are removed. You can specify up to six search domains.

    options

    A list of optional items. Each item can contain a name (required) and a value (optional). The specified items will be added to the list of optional items that are generated based on the specified DNS policy. Duplicate items are removed.

    For more information, see DNS for Services and Pods.

  • Scenario 3: Use the DNS settings of an ECS instance that is provided by Alibaba Cloud

    If your application pods do not need to access other services deployed in the ACK cluster, you can specify dnsPolicy: Default for the DNS policy settings. In this scenario, DNS resolution is performed by Alibaba Cloud DNS and CoreDNS is not required. Example:

    apiVersion: v1
    kind: Pod
    metadata:
      name: alpine
      namespace: default
    spec:
      containers:
      - image: alpine
        command:
          - sleep
          - "10000"
        imagePullPolicy: Always
        name: alpine
      dnsPolicy: Default
  • Scenario 4: Enable pods in HostNetwork mode to access services in an ACK cluster

    If you specify hostNetwork:true for the network settings of your application pods, your application pods can directly use the host network. In this case, the default DNS policy for a pod is Default. As a result, your application pods cannot access services deployed in the ACK cluster. If you want to enable pods in HostNetwork mode to access services deployed in the ACK cluster, you must specify dnsPolicy: ClusterFirstWithHostNet for the DNS policy settings. Example:

    apiVersion: v1
    kind: Pod
    metadata:
      name: alpine
      namespace: default
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - image: alpine
        command:
          - sleep
          - "10000"
        imagePullPolicy: Always
        name: alpine

Use the hostAliases field to configure the /etc/hosts file in a pod

If you want to map a specified domain name to a static IP address for DNS resolution within all pods, you can enable the hosts plug-in of CoreDNS. For more information, see Configure extended features based on CoreDNS.

If you want to map a specified domain name to a static IP address for DNS resolutions within a specified pod, you can add the hostAliases field to the configurations of the pod to modify the /etc/hosts file. Example:

apiVersion: v1
kind: Pod
metadata:
  name: hostaliases-pod
spec:
  hostAliases:
  - ip: "127.0.**.**"
    hostnames:
    - "foo.local"
    - "bar.local"
  - ip: "10.1.**.**"
    hostnames:
    - "foo.remote"
  containers:
  - name: cat-hosts
    image: busybox:1.28
    command:
    - cat
    args:
    - "/etc/hosts"

The hostAliases field is added to the spec section in the pod configurations. After the pod is launched, the /etc/hosts file is initialized with the following content:

# Kubernetes-managed hosts file.
127.0.**.**	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
fe00::0	ip6-mcastprefix
fe00::1	ip6-allnodes
fe00::2	ip6-allrouters
10.200.**.**	hostaliases-pod

# Entries added by HostAliases.
127.0.**.**	foo.local	bar.local
10.1.**.**	foo.remote	bar.remote

The preceding content shows that the foo.local, bar.local, and foo.remote domain names are mapped to static IP addresses.