Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "what is the meaning of DNS parsing in K8s". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

DNS parsing in K8s

A brief introduction to the dns parsing of k8s:

Overview of DNS in Pod

It is well known that DNS servers are used to convert domain names to IP. The DNS resolution configuration in the Linux server is located in / etc/resolv.conf, and there is no exception in Pod. Here is the configuration in a Pod:

Nameserver 10.96.0.10search kube-system.svc.cluster.local svc.cluster.local cluster.localoptions ndots:5

If you want to debug the DNS server and the test returns results, you can use the dig tool:

> dig baidu.com @ 8.8.8.8; DiG 9.16.10 baidu.com @ 8.8.8.8; global options: + cmd;; Got answer:;;-> > HEADER kubectl-n kube-system get svc | grep dnskube-dns ClusterIP 10.96.0.10 53 hand UDPMagi 53 times TCPMay 9153 TCP 398d

Some people may have doubts, now there are two Pod can share the traffic evenly. If it is three or four Pod, how does the Iptables do the forwarding? I happen to have this question, so I added two more Pod to see how iptables can share the traffic equally for the four Pod.

This is the final implementation:

-A KUBE-SVC-TCOU7JCQXEZGVUNU-m statistic-- mode random-- probability 0.25000000000-j KUBE-SEP-HTZHQHQPOHVVNWZS-A KUBE-SVC-TCOU7JCQXEZGVUNU-m statistic-- mode random-- probability 0.333333349-j KUBE-SEP-3VNFB2SPYQJRRPK6-A KUBE-SVC-TCOU7JCQXEZGVUNU-m statistic-- mode random-- probability 0.50000000000-j KUBE-SEP-Q3HNNZPXUAYYDXW2-A KUBE-SVC-TCOU7JCQXEZGVUNU-j KUBE-SEP-BBR3Z5NWFGXGVHEZ

These statements mean:

The traffic of the first 1x4 goes into a chain, leaving 3max 4.

The remaining traffic is 3ax 4, 1max 3 to a chain, 2ax 4 left.

The rest of the browsing is 2max 4, 1max 2 to a chain, and 1max 4.

Finally, 1ax 4 to a chain.

It is ingenious to divide the traffic evenly in this way, so that 5 and 10 can be divided in turn.

Parsing search kube-system.svc.cluster.local svc.cluster.local cluster.localoptions ndots:5 with other parameters in resolv.conf

A detailed introduction can be seen here: resolv.conf manual, I will briefly explain my understanding.

Search parameter

Without this search parameter, when we look for it:

> ping kube-dnsping: kube-dns: Name or service not known

If you add the search parameter, look for it again:

> ping kube-dnsPING kube-dns.kube-system.svc.psigor-dev.nease.net (10.96.0.10) 56 (84) bytes of data.

As you can see, when resolving a domain name, if a given domain name cannot be found, the suffix after search will be added to look it up (if you use. At the end, domain names like kube-dns., will not be tried again, FQDN domain name (Fully Qualified Domain Name) fully qualified domain name.

The job of search is to help us try. When it is used in Kubenetes, configuring kube-system.svc.cluster.local svc.cluster.local cluster.local will help us try. We, ping abc, will query like this.

[INFO] 10.202.37.232 50940-51439 "An IN abc.kube-system.svc.cluster.local Udp 51 false 512 "NXDOMAIN qr,aa,rd 1440.000114128s [INFO] 10.202.37.223" AIN abc.svc.cluster.local. Udp 39 false 512 "NXDOMAIN qr,aa,rd 132 0.000124048s [INFO] 10.202.37.232 virtual 41894-15434" AIN abc.cluster.local. Udp 35 false 512 "NXDOMAIN qr,aa,rd 128 0.000092304s [INFO] 10.202.37.232 virtual 40357-43160" AIN abc. Udp 21 false 512 "NOERROR qr,aa,rd,ra 94 0.000163406s

Ndots and its Optimization problem

Search configuration needs to be used with ndots. The default ndots is 1. If it is checked that the number of dot in the queried domain is less than this value, it will first try to add the suffix in the search domain.

Resolver queries having fewer thanndots dots (default is 1) in them will be attempted usingeach component of the search path in turn until a match isfound.

Practical examples

Suppose our DNS configuration is as follows:

Search kube-system.svc.cluster.local svc.cluster.local cluster.localoptions ndots:2

When we ping abc.123 (there is only one dot for this domain name), the log of the DNS server is as follows. You can notice that the first attempt in the log is that abc.123.kube-system.svc.cluster.local., will try our domain name last.

[INFO] 10.202.37.232Viru 33386-36445 "An IN abc.123.kube-system.svc.cluster.local. Udp 55 false 512 "NXDOMAIN qr,aa,rd 1480.001700129s [INFO] 10.202.37.232 virtual 51389-58489" AIN abc.123.svc.cluster.local. Udp 43 false 512 "NXDOMAIN qr,aa,rd 136 0.001117693s [INFO] 10.202.37.232 virtual 32785-4976" AIN abc.123.cluster.local Udp 39 false 512 "NXDOMAIN qr,aa,rd 132 0.001047215s [INFO] 10.202.37.2322237" AIN abc.123. Udp 25 false 512 "NXDOMAIN qr,rd,ra 100 0.001763186s

Then we ping abc.123.def (there are two dot for this domain name), and the log of the DNS server is like this. Notice that the top priority in the log is abc.123.def.

[INFO] 10.202.37.232 "An IN abc.123.def. Udp 29 false 512 "NXDOMAIN qr,rd,ra 104 0.025049846s [INFO] 10.202.37.232 virtual 51736-61456" AIN abc.123.def.kube-system.svc.cluster.local. Udp 59 false 512 "NXDOMAIN qr,aa,rd 152 0.001213934s [INFO] 10.202.37.232 virtual 53145-26709" AIN abc.123.def.svc.cluster.local. Udp 47 false 512 "NXDOMAIN qr,aa,rd 1400.001418143s [INFO] 10.202.37.232 virtual 54444-1145" AIN abc.123.def.cluster.local. Udp 43 false 512 "NXDOMAIN qr,aa,rd 136 0.001009799s

I would like to use this example to make two points clear to you:

No matter what the ndots is, the suffix of ~ ~ in the search parameter will be found by this method (~ We tested with a domain name that does not exist, and the parsing tool tried all the possibilities)

Improper setting of ndots may put pressure on the DNS server (if the domain name exists, the dns query will be returned as soon as possible, and the search will not continue, which will reduce the pressure on the server)

Optimization discussion

If ndots is 2 now, we want to query baidu.com. Since the number of dot is 1 less than 2 in the configuration, we will first add a suffix to find it:

[INFO] 10.202.37.232 42911-55931 "An IN baidu.com.kube-system.svc.cluster.local. Udp 57 false 512 "NXDOMAIN qr,aa,rd 150 0.000116042s [INFO] 10.202.37.232 AIN baidu.com.svc.cluster.local. Udp 45 false 512 "NXDOMAIN qr,aa,rd 138 0.000075077s [INFO] 10.202.37.232 virtual 46487-50053" AIN baidu.com.cluster.local. Udp 41 false 512 "NXDOMAIN qr,aa,rd 134,0.000067313s [INFO] 10.202.37.232 purl 48360-51853" AIN baidu.com. Udp 27 false 512 "NOERROR qr,aa,rd,ra 77 0.000127309s

Then, we will produce 3 useless DNS query records. For DNS servers, the traffic is quadrupled by the domain name baidu.com alone. If n continues to increase, just like the default given 5 in Kubernetes, then we will generate more invalid requests, because not only baidu.com, but also map.baidu.com and m.map.baidu.com, these domain names have to be tried in the search domain, which will put great pressure on the DNS server.

My personal advice is:

If requests between internal services are frequent, that is, we need to access domain names such as xxx.svc.cluster.local frequently, then we can keep the ndots large.

However, when there are few requests between internal services, it is strongly recommended to reduce the ndots to reduce the generation of useless traffic and reduce the pressure on the dns server. If I use it personally, I can change it to 2.

This is the end of the content of "what is the meaning of DNS parsing in K8s". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.