• Improve this Doc

    Show / Hide Table of Contents

    DNS zone forwarding in OpenShift clusters

    Overview

    This article documents the ability to forward DNS zones within OpenShift deployments. Forwarding zones can assist in resolving services on private networks if you have existing private DNS resolvers configured within your wider UKCloud environment.

    Intended audience

    This article is best aimed at those with OpenShift deployments with connectivity to a private network as other networks commonly have open resolvers available.

    OpenShift cluster DNS architecture

    The DNS operator inside OpenShift runs a CoreDNS daemonset and creates a service for the daemonset. Pods are instructed to use the CoreDNS service IP for name resolution.

    If there is a server block configured for the zone being resolved, requests will be forwarded on to those resolvers. If there are no matching server blocks, the request will fall back to the servers specified in /etc/resolv.conf. The nodes will always be configured to have name servers able to resolve names on the external network your cluster is deployed to (for example, internet or community networks).

    Identifying forward zones

    A zone is a domain (for example, domain.com) and configuring a forward zone will forward any DNS queries received for that domain, and all sub-domains, to the configured IP address. This allows different domains to be resolved by separate DNS servers at a granular level if required.

    In OpenShift deployments with connectivity to a private network, you may want to resolve a pre-existing internal zone using a private resolver, instead of forwarding these requests to an external service (and therefore routing traffic over an external network). This gives you the benefit of being able to locate private services that may otherwise be restricted or inaccessible from these networks. Examples of services that could be consumed from OpenShift include: container image registry, binary repository or version control system.

    Requesting DNS zone forwarding

    You can provide any zones that you want to forward DNS requests for (including the IPs of the corresponding DNS resolvers) as part of a deployment request provided your environment has connectivity to a private network.

    We'll test that queries are being replied to as expected and assist you in diagnosing issues. You may need to make firewall changes to permit your OpenShift cluster to both send DNS queries and to access the desired services.

    Implementing DNS zone forwarding

    You can implement your own zone forwarding by editing DNS operator config. The steps to add upstream servers of 10.0.0.1 and 10.0.0.2 on port 5353 for the zone example.com are as follows:

    1. Edit the DNS operator config:

      oc edit dns.operator/default

    2. At the spec.servers level add the following yaml block:

    - name: example-dns
      zones: 
        - example.com
      forwardPlugin:
        upstreams: 
          - 10.0.0.1
          - 10.0.0.2:5353
    
    1. To verify the changes are successful you can view the dns-default configmap to ensure the forward zones are present as configured:

      oc get configmap/dns-default -n openshift-dns -o yaml

    Further information

    https://docs.openshift.com/container-platform/4.9/networking/dns-operator.html#nw-dns-forward_dns-operator

    Feedback

    If you find an issue with this article, click Improve this Doc to suggest a change. If you have an idea for how we could improve any of our services, visit UKCloud Ideas. Alternatively, you can contact us at products@ukcloud.com.

    ☀
    ☾
    Generated by DocFX
    Back to top
    © UKCloud Ltd, 2022. All Rights Reserved.
    Privacy Policy. Terms of Use. Contribute.

    The UKCloud Knowledge Centre uses cookies to ensure that we give you the best experience on our website. If you continue we assume that you consent to receive all cookies on this website.