DNS - bobbae/gcp GitHub Wiki

The Domain Name System (DNS) is a system for associating various types of information – such as IP addresses – with easy-to-remember names.

DNS Overview

https://cloud.google.com/dns/docs/dns-overview

DNS is a kind of distributed database

https://blog.the-pans.com/dns/

Google Cloud DNS

Cloud DNS allows you to publish your domain names by using Google's infrastructure for production-quality, high-volume DNS services. Google's global network of Anycast name servers provides reliable, low-latency, authoritative name lookups for your domains from anywhere in the world.

Cloud DNS Routing policies

https://cloud.google.com/blog/products/networking/dns-routing-policies-for-geo-location--weighted-round-robin

Cloud Domains

https://cloud.google.com/blog/products/networking/cloud-domains-is-generally-available

Zone forwarding

https://cloud.google.com/dns/docs/zones/zones-overview#forwarding_zones

DNS Best practices

https://cloud.google.com/dns/docs/best-practices

Kubernetes DNS Server

By default most Kubernetes clusters automatically configure an internal DNS service to provide a lightweight mechanism for service discovery. Built-in service discovery makes it easier for applications to find and communicate with each other on Kubernetes clusters, even when pods and services are being created, deleted, and shifted between nodes.

Kubernetes creates DNS records for services and pods. You can contact services with consistent DNS names instead of IP addresses.

Kubernetes DNS schedules a DNS Pod and Service on the cluster, and configures the kubelets to tell individual containers to use the DNS Service's IP to resolve DNS names.

Every Service defined in the cluster (including the DNS server itself) is assigned a DNS name. By default, a client Pod's DNS search list includes the Pod's own namespace and the cluster's default domain.

Service Discovery and DNS

In Kubernetes, service discovery is implemented with autogenerated service names that map to the service's IP address. Service names follow a standard specification: my-svc.my-namespace.svc.my-zone. Pods can also access external services, like example.com, through their names. See DNS for Services and Pods for more information on the behavior of DNS in Kubernetes.

The kube-dns Pods are in the kube-system namespace. The kube-dns deployment is accessed through a corresponding Service that groups the kube-dns Pods and gives them a single IP address. By default, all Pods in a cluster use this service to resolve DNS queries.

As of Kubernetes v1.12, CoreDNS is the recommended DNS Server, replacing kube-dns. If your cluster originally used kube-dns, you may still have kube-dns deployed rather than CoreDNS.

kubelet sets each new pod’s /etc/resolv.conf nameserver option to the cluster IP of the kube-dns service, with appropriate search options to allow for shorter hostnames to be used:

nameserver 10.32.0.10
search namespace.svc.cluster.local svc.cluster.local cluster.local
options ndots:5

Applications running in containers can then resolve hostnames such as example-service.namespace into the correct cluster IP addresses.

Example Kubernetes DNS records

The full DNS A record of a Kubernetes service will look like the following example:

service.namespace.svc.cluster.local

A pod would have a record in this format, reflecting the actual IP address of the pod:

10.32.0.125.namespace.pod.cluster.local

Additionally, SRV records are created for a Kubernetes service’s named ports:

_port-name._protocol.service.namespace.svc.cluster.local

The result of all this is a built-in, DNS-based service discovery mechanism, where your application or microservice can target a simple and consistent hostname to access other services or pods on the cluster.

Search Domains and Resolving Shorter Hostnames

Because of the search domain suffixes listed in the resolv.conf file, you often won’t need to use the full hostname to contact another service. If you’re addressing a service in the same namespace, you can use just the service name to contact it:

other-service

If the service is in a different namespace, add it to the query:

other-service.other-namespace

If you’re targeting a pod, you’ll need to use at least the following:

pod-ip.other-namespace.pod

As we saw in the default resolv.conf file, only .svc suffixes are automatically completed, so make sure you specify everything up to .pod.

DNS Spoofing in Kubernetes clusters

https://blog.aquasec.com/dns-spoofing-kubernetes-clusters

External DNS

ExternalDNS automates updating DNS records as part of the deployment of a public facing web application.

ExternalDNS makes Kubernetes resources discoverable via public DNS servers.

External DNS with GKE & Cloud DNS

https://joachim8675309.medium.com/externaldns-with-gke-cloud-dns-38a174fdced7

https://joachim8675309.medium.com/externaldns-w-gke-cloud-dns-2-1226a00d01c0

DNS Security

DNS Spoofing

https://en.wikipedia.org/wiki/DNS_spoofing

DNS over TLS

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

https://developers.google.com/speed/public-dns/docs/dns-over-tls

DNS over HTTPS

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks.

https://wikipedia.org/wiki/DNS_over_HTTPS

DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.

https://cloud.google.com/dns/docs/dnssec

MagicDNS

https://tailscale.com/blog/2021-09-private-dns-with-magicdns/

Cert Manager, Kubernetes, Let’s Encrypt

https://www.youtube.com/watch?v=LH4nLtUpuBI

IP Addresses, Netmasks

https://www.youtube.com/watch?v=EkNq4TrHP_U

GCP DNS Quickstart

https://cloud.google.com/dns/docs/quickstart