All Products
Search

This Product

    Alibaba Cloud Service Mesh:Use the DNS proxy feature in an ASM instance

    Document Center

    Alibaba Cloud Service Mesh:Use the DNS proxy feature in an ASM instance

    Last Updated:Jun 05, 2023

    Sidecar proxies in a Service Mesh (ASM) instance can serve as Domain Name System (DNS) proxies. When applications initiate DNS queries in an ASM instance for which the DNS proxy feature, sidecar proxies transparently intercept the queries and provide DNS services. This topic describes how to enable and use the DNS proxy feature in ASM.

    Prerequisites

    Background information

    By default, a set of DNS services are deployed in a Container Service for Kubernetes (ACK) cluster to provide DNS features for workloads. This allows applications that run in the cluster to discover other services by using the DNS services.

    A DNS server runs in every Kubernetes cluster. Each pod uses the internal DNS server for DNS services. By default, sidecar proxies do not intercept DNS queries, and each application tries to resolve domain names before the application establishes connections to other services. After the DNS proxy feature is enabled in ASM, sidecar proxies transparently intercept DNS queries from applications and provide DNS services. This accelerates domain name resolution.

    Enable the DNS proxy feature

    Scenario 1: Enable the DNS proxy feature globally

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

    4. On the details page of the ASM instance, choose Sidecar Management(Data Plane) > Sidecar Proxy Setting in the left-side navigation pane.

    5. On the Global tab, click DNS proxy, select Enable DNS Proxy, and then click Update Settings.

    6. Restart the pod of an application so that the DNS configuration takes effect for the application.

      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, find the pod that you want to restart and click Delete in the Actions column.

      6. In the Delete Pod message, click Confirm.

        Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.

    Scenario 2: Enable the DNS proxy feature for a specific namespace

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

    4. On the details page of the ASM instance, choose Sidecar Management(Data Plane) > Sidecar Proxy Setting in the left-side navigation pane.

    5. On the Sidecar Proxy Setting page, click the Namespace tab.

    6. Select a namespace, click DNS proxy, select Enable DNS Proxy, and then click Update Settings.

    7. Restart the pod of an application so that the DNS configuration takes effect for the application.

      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, find the pod that you want to restart and click Delete in the Actions column.

      6. In the Delete Pod message, click Confirm.

        Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.

    Scenario 3: Enable the DNS proxy feature for a specific pod

    You can add specific annotations to the YAML file of a pod to enable the DNS proxy feature for the pod.

    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.

    5. On the Deployments page, find the application for which you want to enable the DNS proxy feature and choose More > View in YAML in the Actions column.

    6. In the Edit YAML dialog box, add the following annotations to the spec parameter, and then click Update: 

      annotations:
  proxy.istio.io/config: |
    proxyMetadata:
      ISTIO_META_DNS_CAPTURE: "true"
      ISTIO_META_DNS_AUTO_ALLOCATE: "true"
      Annotations

    7. Restart the pod of the application so that the DNS configuration takes effect for the application.

      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, find the pod that you want to restart and click Delete in the Actions column.

      6. In the Delete Pod message, click Confirm.

        Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.

    Use the DNS proxy feature

    Step 1: Create a External Service

    Create a external service to add aliyun.com to the internal service registry of your ASM instance.

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

    4. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane. On the page that appears, click Create from YAML.

    5. On the Create page, set the Namespace and Template parameters, copy the following content to the code editor, and then click Create: 

      apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
 name: test1-mydnsproxying
spec:
 hosts:
 - aliyun.com
 location: MESH_EXTERNAL
 ports:
 - number: 443
   name: https
   protocol: TLS
 resolution: DNS

    Step 2: Deploy a sample application

    1. Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

    2. Create a file named sleep.yaml and add the following content to the file: 

      apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true

    3. Run the following command to deploy the sleep application: 

      kubectl apply -f sleep.yaml

    4. Run the following command to check whether the pod of the sleep application is started: 

      kubectl get pod |grep sleep

      Expected output:

      NAME                       READY   STATUS    RESTARTS   AGE
sleep-66cd8f684f-nxw8v     2/2     Running   0          16m

    Step 3: Enable the DNS proxy feature for the pod of the sleep application

    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.

    5. On the Deployments page, find the application for which you want to enable the DNS proxy feature and choose More > View in YAML in the Actions column.

    6. In the Edit YAML dialog box, add the following annotations to the spec parameter, and then click Update: 

      annotations:
  proxy.istio.io/config: |
    proxyMetadata:
      ISTIO_META_DNS_CAPTURE: "true"
      ISTIO_META_DNS_AUTO_ALLOCATE: "true"
      Annotations

    7. Restart the pod of the sleep application so that the DNS configuration takes effect for the application.

      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, find the pod of the sleep application and click Delete in the Actions column.

      6. In the Delete Pod message, click Confirm.

        Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.

    Step 4: Verify that the DNS proxy feature takes effect

    1. View the logs of the istio-init container.

      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
      4. In the left-side navigation pane of the details page, choose Workloads > Pods.

      5. On the Pods page, click the name of the pod of the sleep application.

      6. On the pod details page, click the Logs tab and set the Container parameter to istio-init.

        The following logs are displayed: 

        -A OUTPUT -p udp --dport 53 -d 192.168.0.10/32 -j REDIRECT --to-port 15053
-A ISTIO_OUTPUT -p tcp --dport 53 -d 192.168.0.10/32 -j REDIRECT --to-ports 15053

        The sidecar proxy intercepts all DNS queries from the pod of the application in the same way that the sidecar proxy intercepts other types of traffic based on iptables rules. Istio adds additional iptables rules to redirect all DNS queries that are sent to a Kubernetes DNS service, such as the CoreDNS service, on TCP or UDP port 53 to port 15053.

    2. View the port on which the pilot-agent process listens.

      1. In the left-side navigation pane of the details page, choose Workloads > Pods.

      2. On the Pods page, find the pod of the sleep application and click Terminal in the Actions column. Then, click Container: istio-proxy.

      3. In the istio-proxy container, run the following command to view the port on which the pilot-agent process listens: 

        netstat -anp |grep 15053

        Expected output:

        tcp        0      0 127.0.0.1:15053         0.0.0.0:*               LISTEN      1/pilot-agent
udp        0      0 127.0.0.1:15053         0.0.0.0:*                           1/pilot-agent

        The output indicates the pilot-agent process is listening on port 15053. All DNS queries are redirected to the pilot-agent process that runs in the istio-proxy container.

    3. Visit aliyun.com in the sleep application.

      1. In the left-side navigation pane of the details page, choose Workloads > Pods.

      2. On the Pods page, find the pod of the sleep application and click Terminal in the Actions column. Then, click Container: sleep.

      3. Run the following command in the sleep container to visit aliyun.com: 

        curl -v https://aliyun.com

        Expected output:

        *   Trying 240.240.**.**:443...
* Connected to aliyun.com (240.240.**.**) port 443 (#0)

        The output indicates that the IP address 240.240.**.** is returned. The IP address is not an actual public IP address. Instead, it is a virtual IP address that is automatically assigned by the ASM instance. This is because the ASM instance uses iptables to intercept requests that are sent to the kube-dns service and routes the requests to the sidecar proxy that runs in the pod of the sleep application. After the pod of the sleep application resolves aliyun.com to a virtual IP address and sends a request, the virtual IP address is translated into the actual public IP address that is resolved by the sidecar proxy.

    Enable debug logs for the DNS proxy feature

    After you enable debug logs for the DNS proxy feature, the pilot-agent process records every DNS query that is initiated from the application container.

    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.

    5. On the Deployments page, find the sleep application and choose More > View in YAML in the Actions column.

    6. In the Edit YAML dialog box, add the following annotation to the spec parameter, and then click Update: 

      annotations:
  sidecar.istio.io/agentLogLevel: "dns:debug"
      Log annotation

    7. Run the following command in the cluster to view debug logs: 

      kubectl logs -n default sleep-85fdfd8896-2ctq4 -c istio-proxy | grep debug

      Expected output:

      2022-03-28T12:15:05.064562Z    debug    dns    request ;; opcode: QUERY, status: NOERROR, id: 16390
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     AAAA
    protocol=udp edns=false id=1c71c9f1-e051-49e9-8d04-d7c82ee****
2022-03-28T12:15:05.064572Z    debug    dns    request ;; opcode: QUERY, status: NOERROR, id: 16016
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     A
    protocol=udp edns=false id=4cec8078-5355-4d1b-b496-ab57367****
2022-03-28T12:15:05.064593Z    debug    dns    response for hostname "alibabacloud.com.default.svc.cluster.local." (found=true): ;; opcode: QUERY, status: NOERROR, id: 16390
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     AAAA
    protocol=udp edns=false id=1c71c9f1-e051-49e9-8d04-d7c82ee****
2022-03-28T12:15:05.064614Z    debug    dns    response for hostname "alibabacloud.com.default.svc.cluster.local." (found=true): ;; opcode: QUERY, status: NOERROR, id: 16016
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     A

;; ANSWER SECTION:
alibabacloud.com.default.svc.cluster.local.    30    IN    CNAME    alibabacloud.com.
alibabacloud.com.    30    IN    A    240.240.**.**
    protocol=udp edns=false id=4cec8078-5355-4d1b-b496-ab573670****

      The log entries that contain found=true indicate that the domain names are found in the local registry for DNS queries and the domain names are resolved.