Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Local DNS proxy for VPC/Underlay networks #4887

Open
zhangzujian opened this issue Dec 30, 2024 · 2 comments
Open

[Feature Request] Local DNS proxy for VPC/Underlay networks #4887

zhangzujian opened this issue Dec 30, 2024 · 2 comments
Labels
feature New network feature underlay vpc

Comments

@zhangzujian
Copy link
Member

Description

Implement a local DNS proxy for VPC/Underlay networks by:

  1. Forward DNS requests from VPC/Underlay LSPs to the local OVS bridge br-int;
  2. Run a DaemonSet that forwards the requests to the kube-dns service (/etc/resolv.conf).

To achieve this goal, we need to:

  1. Add some extra ovn/ovs flows to store the ofport number into the destination mac and output the packet to br-int;
  2. Implement a DNS proxy server that receives raw packets from br-int, forwards the requests to the upstream dns server and writes raw response packets to br-int.
  3. Add some extra ovn/ovs flows to read ofport number from the source mac and output the packet to the request port.

Here is an example:

  1. OVS datapath receives a DNS request from an OVS port with ofport number 1;
  2. OVS datapath stores the ofport number into the packet's destination mac and the new destination mac would be ff:ff:ff:ff:00:01;
  3. OVS datapath forwards the modified packet to the br-int port;
  4. The DNS proxy server receives the raw packet from br-int and forwards the DNS request to the upstream server;
  5. The DNS proxy server construct a raw response packet where the source mac is ff:ff:ff:ff:00:01;
  6. The DNS proxy server sends the response packet to br-int;
  7. OVS datapath receives the response packet from br-int and reads ofport number from the source mac;
  8. OVS datapath forwards the response packet to OVS port with ofport number 1.

Who will benefit from this feature?

In clusters where kube-dns service is running in an overlay subnet, underlay subnets MUST turn on u2oInterconnection to access the DNS service.

For VPC networks, we have VPC DNS but it has some limitations:

  1. It requires multus-cni and is kind of complicated to use;
  2. Each VPC requires a CoreDNS deployment.

Anything else?

No response
@zhangzujian zhangzujian added the feature New network feature label Dec 30, 2024
@oilbeater
Copy link
Collaborator

I remember that upcall is a high-overhead operation. In an uncontrolled environment, could a malicious Pod floods DNS requests and crash vswitchd?

@zhangzujian
Copy link
Member Author

https://github.com/zhangzujian/kube-ovn/blob/4385a8cdb5398a21733375c3c17607e05412b110/cmd/raw/raw.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New network feature underlay vpc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oilbeater @zhangzujian