mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
105 lines
4.9 KiB
Plaintext
105 lines
4.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/dns-operator.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="nw-dns-forward_{context}"]
|
|
= Using DNS forwarding
|
|
|
|
You can use DNS forwarding to override the default forwarding configuration in the `/etc/resolv.conf` file in the following ways:
|
|
|
|
* Specify name servers (`spec.servers`) for every zone. If the forwarded zone is the ingress domain managed by {product-title}, then the upstream name server must be authorized for the domain.
|
|
+
|
|
ifdef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
|
|
[IMPORTANT]
|
|
====
|
|
You must specify at least one zone. Otherwise, your cluster can lose functionality.
|
|
====
|
|
endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
|
|
+
|
|
* Provide a list of upstream DNS servers (`spec.upstreamResolvers`).
|
|
* Change the default forwarding policy.
|
|
|
|
A DNS forwarding configuration for the default domain can have both the default servers specified in the `/etc/resolv.conf` file and the upstream DNS servers.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
During pod creation, Kubernetes uses the `/etc/resolv.conf` file that exists on a node. If you modify the `/etc/resolv.conf` file on a host node, the changes do not propagate to the `/etc/resolv.conf` file that exists in a container. You must re-create the container for changes to take effect.
|
|
====
|
|
|
|
.Procedure
|
|
|
|
* Modify the DNS Operator object named `default`:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc edit dns.operator/default
|
|
----
|
|
+
|
|
After you issue the previous command, the Operator creates and updates the config map named `dns-default` with additional server configuration blocks based on `spec.servers`.
|
|
ifdef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
When specifying values for the `zones` parameter, ensure that you only forward to specific zones, such as your intranet. You must specify at least one zone. Otherwise, your cluster can lose functionality.
|
|
====
|
|
+
|
|
endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
|
|
If none of the servers have a zone that matches the query, then name resolution falls back to the upstream DNS servers.
|
|
+
|
|
.Configuring DNS forwarding
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1
|
|
kind: DNS
|
|
metadata:
|
|
name: default
|
|
spec:
|
|
cache:
|
|
negativeTTL: 0s
|
|
positiveTTL: 0s
|
|
logLevel: Normal
|
|
nodePlacement: {}
|
|
operatorLogLevel: Normal
|
|
servers:
|
|
- name: example-server <1>
|
|
zones:
|
|
- example.com <2>
|
|
forwardPlugin:
|
|
policy: Random <3>
|
|
upstreams: <4>
|
|
- 1.1.1.1
|
|
- 2.2.2.2:5353
|
|
upstreamResolvers: <5>
|
|
policy: Random <6>
|
|
protocolStrategy: "" <7>
|
|
transportConfig: {} <8>
|
|
upstreams:
|
|
- type: SystemResolvConf <9>
|
|
- type: Network
|
|
address: 1.2.3.4 <10>
|
|
port: 53 <11>
|
|
status:
|
|
clusterDomain: cluster.local
|
|
clusterIP: x.y.z.10
|
|
conditions:
|
|
...
|
|
----
|
|
<1> Must comply with the `rfc6335` service name syntax.
|
|
<2> Must conform to the definition of a subdomain in the `rfc1123` service name syntax. The cluster domain, `cluster.local`, is an invalid subdomain for the `zones` field.
|
|
<3> Defines the policy to select upstream resolvers listed in the `forwardPlugin`. Default value is `Random`. You can also use the values `RoundRobin`, and `Sequential`.
|
|
<4> A maximum of 15 `upstreams` is allowed per `forwardPlugin`.
|
|
<5> You can use `upstreamResolvers` to override the default forwarding policy and forward DNS resolution to the specified DNS resolvers (upstream resolvers) for the default domain. If you do not provide any upstream resolvers, the DNS name queries go to the servers declared in `/etc/resolv.conf`.
|
|
<6> Determines the order in which upstream servers listed in `upstreams` are selected for querying. You can specify one of these values: `Random`, `RoundRobin`, or `Sequential`. The default value is `Sequential`.
|
|
<7> When omitted, the platform chooses a default, normally the protocol of the original client request. Set to `TCP` to specify that the platform should use TCP for all upstream DNS requests, even if the client request uses UDP.
|
|
<8> Used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.
|
|
<9> You can specify two types of `upstreams`: `SystemResolvConf` or `Network`. `SystemResolvConf` configures the upstream to use `/etc/resolv.conf` and `Network` defines a `Networkresolver`. You can specify one or both.
|
|
<10> If the specified type is `Network`, you must provide an IP address. The `address` field must be a valid IPv4 or IPv6 address.
|
|
<11> If the specified type is `Network`, you can optionally provide a port. The `port` field must have a value between `1` and `65535`. If you do not specify a port for the upstream, the default port is 853.
|
|
//TODO OSDOCS-11830 This YAML looks like it has a syntax problem after upstreamResolvers
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
|
|
* For more information on DNS forwarding, see the link:https://coredns.io/plugins/forward/[CoreDNS forward documentation].
|