Table containing src + dest IP, src + dest port, connection state • Can be controlled via iptables rules • Unregistered entries can lead to missing responses https://twitter.com/b0rk/status/1059109780059504641 UDP Connection tracking 9
the same socket at the same time • Packets dropped • Lookups are in waiting state • Only for UDP Conntrack bug 10 Race condition https://www.weave.works/blog/racy-conntrack-and-dns-lookup-timeouts
TCP as well • Unless you use ipv6, AAAA lookups aren’t really useful Downsides • Majority of the containers are on alpine, which uses musl instead of glibc • Doesn’t solve VPC DNS Limits Workaround #2 TCP, AAAA and musl 14 https://wiki.musl-libc.org/functional-differences-from-glibc.html#Name-Resolver/DNS
resolver to the cluster dns • Pods queries are cached by dnsmasq Downsides • Need to change local resolvers per pod • Takes its own set of resources and memory https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-config Workaround #3 Dnsmasq sidecar 15
to simulate packet loss or delays • Useful here to introduce a delay to avoid race Downsides • Introduces delay Workaround #4 Adding a random delay 16 https://blog.quentin-machu.fr/2018/06/24/5-15s-dns-lookups-on-kubernetes/
for all logic • Configuration is done in the Corefile - just add "nodecache" to your config block • Easy upgrades of CoreDNS • Highly-available setup possible Advantages of Coredns-nodecache 26
to an interface • This allows multiple instances of CoreDNS to bind to the same interface So: • Run two DaemonSets • Do not tear down the interface when shutting down A highly-available node-local DNS cache 27