DNS - bobbae/gcp GitHub Wiki
The Domain Name System (DNS) is a system for associating various types of information – such as IP addresses – with easy-to-remember names.
DNS Overview
https://cloud.google.com/dns/docs/dns-overview
DNS is a kind of distributed database
https://blog.the-pans.com/dns/
Google Cloud DNS
Cloud DNS allows you to publish your domain names by using Google's infrastructure for production-quality, high-volume DNS services. Google's global network of Anycast name servers provides reliable, low-latency, authoritative name lookups for your domains from anywhere in the world.
Cloud DNS Routing policies
Cloud Domains
https://cloud.google.com/blog/products/networking/cloud-domains-is-generally-available
Zone forwarding
https://cloud.google.com/dns/docs/zones/zones-overview#forwarding_zones
DNS Best practices
https://cloud.google.com/dns/docs/best-practices
Kubernetes DNS Server
By default most Kubernetes clusters automatically configure an internal DNS service to provide a lightweight mechanism for service discovery. Built-in service discovery makes it easier for applications to find and communicate with each other on Kubernetes clusters, even when pods and services are being created, deleted, and shifted between nodes.
Kubernetes creates DNS records for services and pods. You can contact services with consistent DNS names instead of IP addresses.
Kubernetes DNS schedules a DNS Pod and Service on the cluster, and configures the kubelets to tell individual containers to use the DNS Service's IP to resolve DNS names.
Every Service defined in the cluster (including the DNS server itself) is assigned a DNS name. By default, a client Pod's DNS search list includes the Pod's own namespace and the cluster's default domain.
Service Discovery and DNS
In Kubernetes, service discovery is implemented with autogenerated service names that map to the service's IP address. Service names follow a standard specification: my-svc.my-namespace.svc.my-zone. Pods can also access external services, like example.com, through their names. See DNS for Services and Pods for more information on the behavior of DNS in Kubernetes.
The kube-dns Pods are in the kube-system namespace. The kube-dns deployment is accessed through a corresponding Service that groups the kube-dns Pods and gives them a single IP address. By default, all Pods in a cluster use this service to resolve DNS queries.
As of Kubernetes v1.12, CoreDNS is the recommended DNS Server, replacing kube-dns. If your cluster originally used kube-dns, you may still have kube-dns deployed rather than CoreDNS.
kubelet sets each new pod’s /etc/resolv.conf
nameserver option to the cluster IP of the kube-dns service, with appropriate search options to allow for shorter hostnames to be used:
nameserver 10.32.0.10
search namespace.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
Applications running in containers can then resolve hostnames such as example-service.namespace
into the correct cluster IP addresses.
Example Kubernetes DNS records
The full DNS A record of a Kubernetes service will look like the following example:
service.namespace.svc.cluster.local
A pod would have a record in this format, reflecting the actual IP address of the pod:
10.32.0.125.namespace.pod.cluster.local
Additionally, SRV records are created for a Kubernetes service’s named ports:
_port-name._protocol.service.namespace.svc.cluster.local
The result of all this is a built-in, DNS-based service discovery mechanism, where your application or microservice can target a simple and consistent hostname to access other services or pods on the cluster.
Search Domains and Resolving Shorter Hostnames
Because of the search domain suffixes listed in the resolv.conf
file, you often won’t need to use the full hostname to contact another service. If you’re addressing a service in the same namespace, you can use just the service name to contact it:
other-service
If the service is in a different namespace, add it to the query:
other-service.other-namespace
If you’re targeting a pod, you’ll need to use at least the following:
pod-ip.other-namespace.pod
As we saw in the default resolv.conf
file, only .svc
suffixes are automatically completed, so make sure you specify everything up to .pod.
DNS Spoofing in Kubernetes clusters
https://blog.aquasec.com/dns-spoofing-kubernetes-clusters
External DNS
ExternalDNS automates updating DNS records as part of the deployment of a public facing web application.
ExternalDNS makes Kubernetes resources discoverable via public DNS servers.
External DNS with GKE & Cloud DNS
https://joachim8675309.medium.com/externaldns-with-gke-cloud-dns-38a174fdced7
https://joachim8675309.medium.com/externaldns-w-gke-cloud-dns-2-1226a00d01c0
DNS Security
DNS Spoofing
https://en.wikipedia.org/wiki/DNS_spoofing
DNS over TLS
DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.
https://developers.google.com/speed/public-dns/docs/dns-over-tls
DNS over HTTPS
DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks.
https://wikipedia.org/wiki/DNS_over_HTTPS
DNSSEC
The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.
https://cloud.google.com/dns/docs/dnssec
MagicDNS
https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
Cert Manager, Kubernetes, Let’s Encrypt
https://www.youtube.com/watch?v=LH4nLtUpuBI
IP Addresses, Netmasks
https://www.youtube.com/watch?v=EkNq4TrHP_U