Wechat official account: Operation and maintenance development story, author: Jiang Zong
DNS is actually a distributed tree naming system, which is like a decentralized distributed database, storing the mapping from domain names to IP addresses. K8s uses CoreDNS for domain name resolution.
Before doing CoreDNS packet capture, let’s understand a few concepts
Fully qualified name
A fully qualified domain name (FQDN) is the complete domain name of a computer or host on the Internet. It consists of a host name, domain name, and top-level domain. FQDN= HostName + DomainName
For example, the domain name www.ayunw.cn should actually be www.ayunw.cn. And usually the last dot can be omitted. The last point is called the root domain WWW is the host name, ayunw.cn is the domain name,.cn is the top-level domain, ayunw is the second level domain, and the last point is called the root domain.
For example: www.allen.ayunw.cn., where the last point is called the root domain (TLD), CN is called the top-level domain (level 1 domain), Ayunw is called the level 2 domain, Allen is called the level 3 domain, and WWW is called the host name.
K8s, the fully qualified name such as: demo – hello. Paas. SVC. Cluster. The local
Classless Interdomain Routing (CIDR)
Such as: 192.168.1.0/24. Those who want a better understanding of CIDR can Google the details, which are not explained here.
Here, I have a domain name called www.ayunw.cn, and here I try to do nsLookup domain name resolution to www.ayunw.cn with a POD in a PAAS namespace. And a COREDNS POD packet capture analysis.
For testing, I use a container that has already published tests. Go to the container and check the contents of the /etc/resolv.conf file
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# cat /etc/resolv.conf
nameserver 10.10.0.2
search paas.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
Copy the codeInstall nsLookup in the container and resolve the www.ayunw.cn domain name
[root@kube-master-srv1 ~]# kubectl get po -n paas
NAME READY STATUS RESTARTS AGE
demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw 1/1 Running 0 11d
[root@kube-master-srv1 ~]# kubectl exec -it demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw -n paas -- bash
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# cat /etc/issue
Debian GNU/Linux 10 \n \l
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# apt -y install dnsutils
Copy the codeThen find a coreDNS, and then go to the node node to which it is scheduled to enter the network namespace through nsenter for packet capture analysis
# check coredns on k8s - master scheduling in which the node # then I chose the first coredns [root @ kube - master - srv1 ~] # kubectl kube get Po - n - system - wide o | Grep coredns coredns-69d9b6c494-4nrxt 1/1 Running 0 96d 10.20.246.18 node2.core <none> <none> coreDNs-69d9b6c494-6vjw4 1/1 Running 0 96d 10.20.240.239 node3. Core <none> <none> coreDNS-69d9b6C494-PW5gx 1/1 Running 0 96d 10.20.240.232 Node3. core <none> <none> Find coredns pid # into the pid into coredns network name space of the container to catch packet filter analysis [root @ kube - node - srv2 ~] # docker ps - a | grep d38fd311a78 coredns 4 Bfe3a36ebd25 / coredns - "the conf/etc..." 3 months ago Up 3 months k8s_coredns_coredns-69d9b6c494-4nrxt_kube-system_803290a5-b4bd-4f2e-81b3-5ce82c9aa57c_0 00722 e50786b registry. Xx. Xx/library/k8s GCR. IO/pause: 3.2 "/ pause" 3 have a line Up 3 Up k8s_POD_coredns-69d9b6c494-4nrxt_kube-system_803290a5-b4bd-4f2e-81b3-5ce82c9aa57c_0 [root@kube-node-srv2 ~]# docker inspect -f {{.State.Pid}} 4d38fd311a78 896949 [root@kube-node-srv2 ~]# nsenter -n -t 896949 [root@kube-node-srv2 ~]# ifconfig eth0: Flags = 4163 < UP, BROADCAST, RUNNING, MULTICAST > mtu 1380 inet 10.20.246.18 netmask 255.255.255.255 BROADCAST 10.20.246.18 Ether 46:c1:e0:30:b4:9d TXQueuelen 0 (Ethernet) RX packets 1489941923 bytes 162419228606 (151.2 GiB) RX errors 0 dropped 0 Overruns 0 frame 0 TX packets 1488233127 bytes 297011464372 (276.6 GiB) TX errors 0 Dropped 0 Overruns 0 Carrier 0 collisions 0 lo: Flags =73<UP,LOOPBACK,RUNNING> MTU 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1000 (Local LOOPBACK) RX Packets 83731165 bytes 6681735331 (6.2 GiB) RX errors 0 Dropped 0 Overruns 0 frame 0 TX packets 83731165 bytes 6681735331 (6.2 GiB) TX errors 0 Dropped 0 Overruns 0 carrier 0 collisions 0Copy the codeResolve the internal domain name of the K8S cluster
The cluster internal domain name is the name of the service. I’m using kubernetes service to test 6 consecutive parses. For convenience, each time I parse, the terminal below will hit enter once.
[root@kube-master-srv1 ~]# kubectl get svc kubernetes NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.10.0.1 < None > 443/TCP 57d root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# nslookup kubernetes.default Server: 10.10.0.2 Address: 10.10.0.2 # 53 Name: kubernetes. Default. SVC. Cluster. The local Address: 10.10.0.1Copy the codeCaught analysis
The following is the result of fetching the DNS package for kubernetes
[root@kube-node-srv2 ~]# tcpdump -i eth0 port 53 | grep "kubernetes" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), Capture size 262144 bytes 16:44:42.712421 IP 10.20.105.252.60020 > Qing-core-kube-node-srv2. domain: 7282+ A? Kubernetes. Default. SVC. Cluster. The local. (54) 16:44:48. 883881 IP 10.20.105.252. NDM - agent - port > qing-core-kube-node-srv2.domain: 25500 + AAAA? Kubernetes. Default. SVC. Cluster. The local. (54) 16:50:15. 361021 IP 10.20.105.252.57205 > qing-core-kube-node-srv2.domain: 24061 + A? Kubernetes. Default. Paas. SVC. Cluster. The local. (59) 16:50:22. 186723 IP 10.20.105.252.60715 > qing-core-kube-node-srv2.domain: 55799 + AAAA? Kubernetes. Default. SVC. Cluster. The local. (54) 16:50:27. 813477 IP the qing - core - kube - node - srv2. Domain > 10.20.176.128.8181: 21787 * - 1/0/0 PTR kubernetes. Default. SVC. Cluster. The local. (112) 16:46:04. 429250 IP 10.20.105.252.33895 > qing-core-kube-node-srv2.domain: 37943 + A? Kubernetes. Default. SVC. Cluster. Local. SVC. Cluster. The local. (72) 16:46:04. 441717 IP 10.20.105.252.54502 > qing-core-kube-node-srv2.domain: 45454 + AAAA? Kubernetes. Default. SVC. Cluster. The local. (54) 16:46:10. 771445 IP 10.20.105.252.54594 > qing-core-kube-node-srv2.domain: 16257 + A? Kubernetes. Default. SVC. Cluster. Local. SVC. Cluster. The local. (72) 16:46:10. 783322 IP 10.20.105.252.59768 > qing-core-kube-node-srv2.domain: 60408+ AAAA? kubernetes.default.svc.cluster.local. (54)Copy the codeThe conclusion is drawn through the packet capture analysis above. When the kubernetes domain name is resolved and the number of dots is smaller than the value of ndots, the domain name suffix is filled according to the local parameter after search. When the paas.svc.cluster.local is filled in order, the A record is resolved. Then terminate the DNS query and return the queried A record.
Run the host command to resolve the cluster internal domain name of service kubernetes
root@demo-hello-pro-master-5474b97bdf-fvbm5:/# host -v kubernetes.default Trying "kubernetes.default.paas.svc.cluster.local" Trying "kubernetes.default.svc.cluster.local" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18054 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; kubernetes.default.svc.cluster.local. IN A ;; ANSWER SECTION: Kubernetes. Default. SVC. Cluster. The local. 5 IN A 10.10.0.1 Received 106 bytes from 10.10.0.2 # 53 IN 3 ms Trying "kubernetes.default.svc.cluster.local" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58952 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; kubernetes.default.svc.cluster.local. IN AAAA ;; AUTHORITY SECTION: cluster.local. 5 IN SOA ns.dns.cluster.local. hostmaster.cluster.local. 1622445553 7200 1800 86400 5 Received 147 bytes The from 10.10.0.2 # 53 in 2 ms Trying "kubernetes. Default. SVC. Cluster. The local";; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37783 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; kubernetes.default.svc.cluster.local. IN MX ;; AUTHORITY SECTION: cluster.local. 5 IN SOA ns.dns.cluster.local. hostmaster.cluster.local. 1622445553 7200 1800 86400 5 Received 147 bytes From 10.10.0.2#53 in 2 msCopy the codeResolve the external domain name of the K8S cluster
Next for my www.ayunw.cn this domain name for many times. Here I initiated six parses for testing purposes. Each time I parse, the terminal below captures the packet and hits enter. At the same time, the node where the coreDNS container is located is captured for packet analysis.
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# nslookup www.ayunw.cn Server: 10.10.0.2 Address: Authoritative Answer: Name: www.ayunw.cn Address: 134.175.123.64Copy the codeCaught analysis
At the beginning of packet capture, because my cluster has a large number of services, there are many DNS resolution requests for internal services every second. So HERE I’ve filtered the keyword ayunw. Each time the above DNS is executed, I will hit enter in the packet capture window, so that it is convenient to see the result of each time
The following is the result of the domain name DNS package of www.ayunw.cn:
[root@kube-node-srv2 ~]# tcpdump -i eth0 port 53 | grep "ayunw" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), Capture size 262144 bytes 14:38:07.350640 IP 10.20.105.252.47767 > Qing-core-kube-node-srv2. domain: 13102+ A? www.ayunw.cn.cluster.local. (44) 14:38:19. 098753 IP 10.20.105.252.47071 > the qing - core - kube - node - srv2. Domain: 15535 + A? www.ayunw.cn.paas.svc.cluster.local. (53) 14:38:19. 111441 IP 10.20.105.252.56968 > qing-core-kube-node-srv2.domain: 62838+ A? www.ayunw.cn. (30) 14:38:19.111720 IP qing-core-kube-node-srv2.35187 > 172.16.0.11.domain: 62838+ A? www.ayunw.cn. (30) 14:38:31.200982 IP 10.20.105.252.50777 > Qing-core-kube-node-srv2. domain: 10715 + A? www.ayunw.cn.svc.cluster.local. (48) 14:38:31. 214096 IP 10.20.105.252.51233 > the qing - core - kube - node - srv2. Domain: 37585+ AAAA? www.ayunw.cn. (30) 14:38:31.214299 IP Qing-core-kube-node-srv2.35187 > 172.16.0.11.domain: 37585+ AAAA? www.ayunw.cn. (30) 14:39:04.691754 IP 10.20.105.252.34080 > Qing-core-kube-node-srv2.domain: 34206 + A? www.ayunw.cn.paas.svc.cluster.local. (53) 14:39:04. 704758 IP 10.20.105.252.36478 > qing-core-kube-node-srv2.domain: 64751+ A? www.ayunw.cn. (30) 14:39:04.705068 IP Qing-core-kube-node-srv2.48926 > 172.16.0.11.domain: 64751+ A? www.ayunw.cn. (30) 14:39:13.925872 IP 10.20.105.252.59868 > Qing-core-kube-node-srv2.domain: 45121 + A? www.ayunw.cn.paas.svc.cluster.local. (53) 14:39:13. 937328 IP 10.20.105.252.45290 > qing-core-kube-node-srv2.domain: 27511+ A? www.ayunw.cn. (30) 14:39:13.937576 IP qing-core-kube-node-srv2.48926 > 172.16.0.11.domain: 27511+ A? www.ayunw.cn. (30) 14:39:24.838444 IP 10.20.105.252.37510 > Qing-core-kube-node-srv2.domain: 45926 + A? www.ayunw.cn.cluster.local. (44) 14:45:13. 438961 IP 10.20.105.252.55462 > the qing - core - kube - node - srv2. Domain: 60170 + A? www.ayunw.cn.paas.svc.cluster.local. (53) 14:45:13. 450865 IP 10.20.105.252.42674 > qing-core-kube-node-srv2.domain: 25680+ A? www.ayunw.cn. (30) 14:45:13.451110 IP Qing-core-kube-node-srv2.56396 > 172.16.0.11.domain: 25680+ A? www.ayunw.cn. (30) ^C35952 packets captured 35956 packets received by filter 0 packets dropped by kernelCopy the codeFrom the above analysis results, the domain name www.ayunw.cn has only two dots, which is smaller than the value of ndots configured in the pod /etc/resolv.conf file (ndots is 5 and the dot of the domain name is 2). Local, svc.cluster.local, and cluster.local are followed by search. Because there is no domain name resolution result after local region matching according to search, he directly resolves the domain name www.ayunw.cn, queries the A record of the domain name and returns the result.
Parsing is done using the host command
root@demo-hello-pro-master-5474b97bdf-fvbm5:/# host -v www.ayunw.cn Trying "www.ayunw.cn.paas.svc.cluster.local" Trying "www.ayunw.cn.svc.cluster.local" Trying "www.ayunw.cn.cluster.local" Trying "www.ayunw.cn" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8135 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ; www.ayunw.cn. IN A ;; ANSWER SECTION: www.ayunw.cn. 30 IN A 134.175.123.64;; AUTHORITY SECTION: . 30 IN NS l.root-servers.net. . 30 IN NS e.root-servers.net. . 30 IN NS h.root-servers.net. . 30 IN NS k.root-servers.net. . 30 IN NS d.root-servers.net. . 30 IN NS b.root-servers.net. . 30 IN NS g.root-servers.net. . 30 IN NS j.root-servers.net. . 30 IN NS m.root-servers.net. . 30 IN NS i.root-servers.net. . 30 IN NS f.root-servers.net. . 30 IN NS c.root-servers.net.. 30 IN NS a.root-servers.net. Received 461 bytes from 10.10.0.2#53 IN 94 ms Trying "www.ayunw.cn" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11085 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; www.ayunw.cn. IN AAAA ;; AUTHORITY SECTION: ayunw.cn. 5 IN SOA dns17.hichina.com. hostmaster.hichina.com. 2019070911 3600 1200 86400 360 Received 113 bytes from #53 in 99 ms Trying "www.ayunw.cn"; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19432 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; www.ayunw.cn. IN MX ;; AUTHORITY SECTION: ayunw.cn. 5 IN SOA dns17.hichina.com. hostmaster.hichina.com. 2019070911 3600 1200 86400 360 Received 113 bytes from 10.10.0.2 # 53 in 51 msCopy the codeBecause there are three local regions in my POD: Local, svc.cluster.local, and cluster.local. Using the host command, you can see that Trying has tried four times. No correct resolution was found in the result. Therefore, the resolution was performed in the /etc/resolv.conf file of the host where the POD resides.
Our company uses the internal bind service to do internal DNS, and then upstream points to baidu’s DNS.
# cat /etc/resolv.conf
options rotate timeout:1
; generated by /usr/sbin/dhclient-script
nameserver 172.16.0.11
nameserver 172.16.0.12
Copy the codeResolving www.jd.com domain name
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# nslookup www.jd.com Server: 10.10.0.2 Address: 10.10.0.2 # 53 Non - authoritative answer: www.jd.com canonical name = www.jd.com.gslb.qianxun.com. www.jd.com.gslb.qianxun.com canonical name = www.jdcdn.com. www.jdcdn.com canonical name = img20.360buyimg.com.s.galileo.jcloud-cdn.com. Img20.360buyimg.com.s.galileo.jcloud-cdn.com canonical name = img2x-sched.jcloud-cdn.com name: Address: img2x-sched.jcloud-cdn.com 113.107.249.3Copy the codeThe following is the result of the domain name DNS package of www.jd.com:
[root@kube-node-srv2 ~]# tcpdump -i eth0 port 53 | grep "jd" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), Capture size 262144 bytes 16:17:52.935226 IP 10.20.105.252.56775 > Qing-core-kube-node-srv2. domain: 17278+ A? www.jd.com.paas.svc.cluster.local. (51) 16:17:52. 947890 IP 10.20.105.252.52012 > the qing - core - kube - node - srv2. Domain: 12806+ A? www.jd.com. (28) 16:17:52.948150 IP Qing-core-kube-node-srv2.54626 > 172.16.0.11.domain: 12806+ A? www.jd.com. (28) 16:17:53.054427 IP 172.16.0.11.domain > qing-core-kube-node-srv2.54626: 12806 5/13/0 CNAME www.jd.com.gslb.qianxun.com., CNAME www.jdcdn.com., CNAME img20.360buyimg.com.s.galileo.jcloud-cdn.com., CNAME img2x-sched.jcloud-cdn.com., A 113.107.249.3 (398) 16:17:53.054677 IP Qing-core-kube-node-srv2. domain > 10.20.105.252.52012: 12806 5/13/0 CNAME www.jd.com.gslb.qianxun.com., CNAME www.jdcdn.com., CNAME img20.360buyimg.com.s.galileo.jcloud-cdn.com., CNAME img2x-sched.jcloud-cdn.com, A 113.107.249.3 (398).Copy the codeCheck www.jd.com with host command as above www.ayunw.cn
root@demo-hello-pro-master-5474b97bdf-fvbm5:/# host -v www.jd.com Trying "www.jd.com.paas.svc.cluster.local" Trying "www.jd.com.svc.cluster.local" Trying "www.jd.com.cluster.local" Trying "www.jd.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61910 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ; www.jd.com. IN A ;; ANSWER SECTION: www.jd.com. 13 IN CNAME www.jd.com.gslb.qianxun.com. www.jd.com.gslb.qianxun.com. 13 IN CNAME www.jdcdn.com. 13 IN www.jdcdn.com. CNAME img20.360buyimg.com.s.galileo.jcloud-cdn.com. img20.360buyimg.com.s.galileo.jcloud-cdn.com. 13 IN CNAME img2x-sched.jcloud-cdn.com. img2x-sched.jcloud-cdn.com. 13 IN A 113.107.249.3; AUTHORITY SECTION: . 13 IN NS f.root-servers.net. . 13 IN NS i.root-servers.net. . 13 IN NS d.root-servers.net. . 13 IN NS l.root-servers.net. . 13 IN NS j.root-servers.net. . 13 IN NS g.root-servers.net. . 13 IN NS k.root-servers.net. . 13 IN NS m.root-servers.net. . 13 IN NS h.root-servers.net. . 13 IN NS c.root-servers.net. . 13 IN NS a.root-servers.net. . 13 IN NS e.root-servers.net.. 13 IN NS b.root-servers.net. Received 398 bytes from 10.10.0.2#53 IN 5 ms Trying "img2x-sched.jcloud-cdn.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64422 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; img2x-sched.jcloud-cdn.com. IN AAAA ;; AUTHORITY SECTION: jcloud-cdn.com. 5 IN SOA ns1.jdgslb.com. apollo.jdgslb.com. 1622435242 10800 3600 604800 3600 Received 125 bytes from In 4 ms Trying "img2x-sched.jcloud-cdn.com"; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43091 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; img2x-sched.jcloud-cdn.com. IN MX ;; AUTHORITY SECTION: jcloud-cdn.com. 5 IN SOA ns1.jdgslb.com. apollo.jdgslb.com. 1622435242 10800 3600 604800 3600 Received 125 bytes from 10.10.0.2 # 53 in 40 msCopy the codeView domain name resolution with points equal to ndots value 5
Here I have a domain name on Aliyun, did a DNS resolution and tested it 4 times
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# nslookup x.y.z.v.awunw.cn Server: 10.10.0.2 Address: Authoritative Answer: Name: x.y.z.v.ayunw.cn Address: 134.175.123.64Copy the codeCaught analysis
[root@kube-node-srv2 ~]# tcpdump -i eth0 port 53 | grep "ayunw" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), Capture size 262144 bytes 16:36:49.928116 IP 10.20.105.252.46581 > Qing-core-kube-node-srv2. domain: 38769+ A? X.y.z.v.ayunw.cn. (34) 16:36:49.928383 IP qing-core-kube-node-srv2.59801 > 172.16.0.11.domain: 38769+ A? X.y.z.v.ayunw.cn. (34) 16:36:56.901762 IP 10.20.105.252.43844 > qing-core-kube-node-srv2.domain: IP 10.20.105.252.36053 > Qing-core-kube-node-srv2.domain: 62952+ AAAA? X.y.z.v.ayunw.cn. (34) 16:37:01.764110 IP qing-core-kube-node-srv2.59801 > 172.16.0.11.domain: (34) 16:37:06.851820 IP 10.20.105.252.36305 > qing-core-kube-node-srv2.domain: Qing-core-kube-node-srv2.59801 > 172.16.0.11.domain: qing-core-kube-node-srv2.59801 > 172.16.0.11.domain: 58393+ AAAA? x.y.z.v.ayunw.cn. (34)Copy the codeAs you can see from the packet capture result above, if the dot in the domain name is equal to the value of ndots, it will directly resolve the domain name, and will not use the local region after search to fill. Maybe because of this domain name on my Ali cloud, it does not support domain name resolution of more than 5 points. So I can’t test domains with more than 5 dots.
conclusion
If the number of points is less than 5, the search will be performed first in the corresponding domain based on the local region list configured in search. If there is no return, query the domain name itself. If there is no match in the local list configured in search, it will be resolved in /etc/resolv.conf of the server host. If you have clusterDomain configured incorrectly in Kubelet. Then search does not have any match to, directly forward to the local DNS, follow the normal recursive query logic.
The above tests show that the value of NDOTS is related to the requested domain name. To avoid multiple DNS resolution queries, you can optimize the domain names that need to be resolved to include as many dots as possible in the domain name, and preferably equal to the value of Ndots. For example: kubernetes. Paas. SVC. Cluster. The local. Instead of parsing the domain name multiple times through the local area after search, it returns the A record. If you parse the domain name kubernetes.paas, it will complete the name of the service in the same namespace. Such as: nslookup kubernetes, he would complement a default. The SVC. Cluster. The local, but in order to resolve personal suggest it is better to write the domain name complete failure.
Public account: Operation and maintenance development story
Making:Github.com/orgs/sunsha…
Love life, love operation