共计 17472 个字符,预计需要花费 44 分钟才能阅读完成。
DNS 其实就是一个分布式的树状命名零碎,它就像一个去中心化的分布式数据库,存储着从域名到 IP 地址的映射。k8s 中利用 CoreDNS 进行域名解析。
在进行 CoreDNS 抓包之前先来理解几个概念
齐全限定名称 https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://zhuanlan.zhihu.com/p/…
https://www.bilibili.com/read…
齐全限定域名 (FQDN) 就是互联网上计算机或者主机的残缺域名。由主机名、域名、顶级域组成。FQDN= HostName + DomainName
如:域名 www.ayunw.cn,实际上它应该是 www.ayunw.cn.,而通常最初的点能够不写。最初的点被称为根域 www 就是主机名,ayunw.cn 就是域名,而.cn 又被称为顶级域 (一级域名),ayunw 被称为二级域名,最初的点被称为 根域。
如:www.allen.ayunw.cn.,其中最初的点被称为 根域 (TLD),cn 被称为顶级域(一级域名),ayunw 被称为二级域名,allen 被称为三级域名,www 被称为主机名。
k8s 中,非齐全限定名称比方:demo-hello.paas.svc.cluster.local
无类域间路由 (CIDR)
如:192.168.1.0/24。想要更好的对 CIDR 理解的能够自行谷歌查问详情,这里不开展说。
这里,我本人有一个域名叫 www.ayunw.cn,而后这里我尝试用一个 paas 名称空间下的一个 pod 对 www.ayunw.cn 做 nslookup 域名解析。并且对某一个 coredns 的 pod 进行抓包剖析。
为了测试,我这里用一个曾经公布好测试的容器。进入容器,查看 /etc/resolv.conf 文件内容
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# cat /etc/resolv.conf
nameserver 10.10.0.2
search paas.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
复制代码
在该容器中装置 nslookup 工具,而后对 www.ayunw.cn 域名进行解析
[root@kube-master-srv1 ~]# kubectl get po -n paas
NAME READY STATUS RESTARTS AGE
demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw 1/1 Running 0 11d
[root@kube-master-srv1 ~]# kubectl exec -it demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw -n paas — bash
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# cat /etc/issue
Debian GNU/Linux 10 \n \l
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# apt -y install dnsutils
复制代码
接着找到某一个 coredns,而后去他所调度到的 node 节点通过 nsenter 进入网络名称空间进行抓包剖析
在 k8s-master 上查看 coredns 调度在哪个 node
接着我就抉择了第一个 coredns
[root@kube-master-srv1 ~]# kubectl get po -n kube-system -o wide | grep coredns
coredns-69d9b6c494-4nrxt 1/1 Running 0 96d 10.20.246.18 node2.core <none> <none>
coredns-69d9b6c494-6vjw4 1/1 Running 0 96d 10.20.240.239 node3.core <none> <none>
coredns-69d9b6c494-pw5gx 1/1 Running 0 96d 10.20.240.232 node3.core <none> <none>
登录到 node2.core 节点,找到 coredns 的 pid
进入这个 pid 进入 coredns 容器的网络名称空间进行抓包过滤剖析
[root@kube-node-srv2 ~]# docker ps -a | grep coredns
4d38fd311a78 bfe3a36ebd25 “/coredns -conf /etc…” 3 months ago Up 3 months k8s_coredns_coredns-69d9b6c494-4nrxt_kube-system_803290a5-b4bd-4f2e-81b3-5ce82c9aa57c_0
00722e50786b registry.xx.xx/library/k8s.gcr.io/pause:3.2 “/pause” 3 months ago Up 3 months k8s_POD_coredns-69d9b6c494-4nrxt_kube-system_803290a5-b4bd-4f2e-81b3-5ce82c9aa57c_0
[root@kube-node-srv2 ~]# docker inspect -f {{.State.Pid}} 4d38fd311a78
896949
[root@kube-node-srv2 ~]# nsenter -n -t 896949
[root@kube-node-srv2 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1380
inet 10.20.246.18 netmask 255.255.255.255 broadcast 10.20.246.18
ether 46:c1:e0:30:b4:9d txqueuelen 0 (Ethernet)
RX packets 1489941923 bytes 162419228606 (151.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1488233127 bytes 297011464372 (276.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 83731165 bytes 6681735331 (6.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 83731165 bytes 6681735331 (6.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
复制代码
解析 k8s 集群的外部域名
这里说的集群外部域名就是 service 的名字。我这里用的是 kubernetes 这个 service 来测试 间断解析 6 次,为了不便查看,我每执行一次解析,上面抓包的终端就敲一次回车。
[root@kube-master-srv1 ~]# kubectl get svc kubernetes
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.10.0.1 <none> 443/TCP 57d
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# nslookup kubernetes.default
Server: 10.10.0.2
Address: 10.10.0.2#53
Name: kubernetes.default.svc.cluster.local
Address: 10.10.0.1
复制代码
抓包剖析
以下是抓取 kubernetes 这个域名的 DNS 包的后果
[root@kube-node-srv2 ~]# tcpdump -i eth0 port 53 | grep “kubernetes”
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:44:42.712421 IP 10.20.105.252.60020 > qing-core-kube-node-srv2.domain: 7282+ A? kubernetes.default.svc.cluster.local. (54)
16:44:48.883881 IP 10.20.105.252.ndm-agent-port > qing-core-kube-node-srv2.domain: 25500+ AAAA? kubernetes.default.svc.cluster.local. (54)
16:50:15.361021 IP 10.20.105.252.57205 > qing-core-kube-node-srv2.domain: 24061+ A? kubernetes.default.paas.svc.cluster.local. (59)
16:50:22.186723 IP 10.20.105.252.60715 > qing-core-kube-node-srv2.domain: 55799+ AAAA? kubernetes.default.svc.cluster.local. (54)
16:50:27.813477 IP qing-core-kube-node-srv2.domain > 10.20.176.128.8181: 21787*- 1/0/0 PTR kubernetes.default.svc.cluster.local. (112)
16:46:04.429250 IP 10.20.105.252.33895 > qing-core-kube-node-srv2.domain: 37943+ A? kubernetes.default.svc.cluster.local.svc.cluster.local. (72)
16:46:04.441717 IP 10.20.105.252.54502 > qing-core-kube-node-srv2.domain: 45454+ AAAA? kubernetes.default.svc.cluster.local. (54)
16:46:10.771445 IP 10.20.105.252.54594 > qing-core-kube-node-srv2.domain: 16257+ A? kubernetes.default.svc.cluster.local.svc.cluster.local. (72)
16:46:10.783322 IP 10.20.105.252.59768 > qing-core-kube-node-srv2.domain: 60408+ AAAA? kubernetes.default.svc.cluster.local. (54)
复制代码
通过以上抓包剖析得出结论。当解析 kubernetes 域名的时候,点的个数比 ndots 的值小,则依照 search 前面的本地区参数填补了域名后缀,当依照程序 用 paas.svc.cluster.local 填补的时候解析到了 A 记录。而后终止 dns 查问将查问到的 A 记录返回。
通过 host 命令对名为 kubernetes 的 service 的集群外部域名进行解析
root@demo-hello-pro-master-5474b97bdf-fvbm5:/# host -v kubernetes.default
Trying “kubernetes.default.paas.svc.cluster.local”
Trying “kubernetes.default.svc.cluster.local”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18054
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;kubernetes.default.svc.cluster.local. IN A
;; ANSWER SECTION:
kubernetes.default.svc.cluster.local. 5 IN A 10.10.0.1
Received 106 bytes from 10.10.0.2#53 in 3 ms
Trying “kubernetes.default.svc.cluster.local”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58952
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;kubernetes.default.svc.cluster.local. IN AAAA
;; AUTHORITY SECTION:
cluster.local. 5 IN SOA ns.dns.cluster.local. hostmaster.cluster.local. 1622445553 7200 1800 86400 5
Received 147 bytes from 10.10.0.2#53 in 2 ms
Trying “kubernetes.default.svc.cluster.local”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37783
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;kubernetes.default.svc.cluster.local. IN MX
;; AUTHORITY SECTION:
cluster.local. 5 IN SOA ns.dns.cluster.local. hostmaster.cluster.local. 1622445553 7200 1800 86400 5
Received 147 bytes from 10.10.0.2#53 in 2 ms
复制代码
解析 k8s 集群内部域名
接下来针对我的 www.ayunw.cn 这个域名进行屡次解析。这里我为了测试,发动了 6 次解析。我每执行一次解析,上面抓包的终端就敲一次回车。解析的同时去 coredns 这个容器所在的节点进行抓包剖析。
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# nslookup www.ayunw.cn
Server: 10.10.0.2
Address: 10.10.0.2#53
Non-authoritative answer:
Name: www.ayunw.cn
Address: 134.175.123.64
复制代码
抓包剖析
抓包开始,因为我的集群有大量的服务,每秒都有很多外部服务 dns 解析申请。所以这里我过滤了关键字 ayunw。下面的 dns 每执行一次,我在这个抓包的窗口就敲一下回车,这样的话不便看清楚每一次的解析后果
以下是抓 www.ayunw.cn 的域名 DNS 包的后果:
[root@kube-node-srv2 ~]# tcpdump -i eth0 port 53 | grep “ayunw”
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:38:07.350640 IP 10.20.105.252.47767 > qing-core-kube-node-srv2.domain: 13102+ A? www.ayunw.cn.cluster.local. (44)
14:38:19.098753 IP 10.20.105.252.47071 > qing-core-kube-node-srv2.domain: 15535+ A? www.ayunw.cn.paas.svc.cluster.local. (53)
14:38:19.111441 IP 10.20.105.252.56968 > qing-core-kube-node-srv2.domain: 62838+ A? www.ayunw.cn. (30)
14:38:19.111720 IP qing-core-kube-node-srv2.35187 > 172.16.0.11.domain: 62838+ A? www.ayunw.cn. (30)
14:38:31.200982 IP 10.20.105.252.50777 > qing-core-kube-node-srv2.domain: 10715+ A? www.ayunw.cn.svc.cluster.local. (48)
14:38:31.214096 IP 10.20.105.252.51233 > qing-core-kube-node-srv2.domain: 37585+ AAAA? www.ayunw.cn. (30)
14:38:31.214299 IP qing-core-kube-node-srv2.35187 > 172.16.0.11.domain: 37585+ AAAA? www.ayunw.cn. (30)
14:39:04.691754 IP 10.20.105.252.34080 > qing-core-kube-node-srv2.domain: 34206+ A? www.ayunw.cn.paas.svc.cluster.local. (53)
14:39:04.704758 IP 10.20.105.252.36478 > qing-core-kube-node-srv2.domain: 64751+ A? www.ayunw.cn. (30)
14:39:04.705068 IP qing-core-kube-node-srv2.48926 > 172.16.0.11.domain: 64751+ A? www.ayunw.cn. (30)
14:39:13.925872 IP 10.20.105.252.59868 > qing-core-kube-node-srv2.domain: 45121+ A? www.ayunw.cn.paas.svc.cluster.local. (53)
14:39:13.937328 IP 10.20.105.252.45290 > qing-core-kube-node-srv2.domain: 27511+ A? www.ayunw.cn. (30)
14:39:13.937576 IP qing-core-kube-node-srv2.48926 > 172.16.0.11.domain: 27511+ A? www.ayunw.cn. (30)
14:39:24.838444 IP 10.20.105.252.37510 > qing-core-kube-node-srv2.domain: 45926+ A? www.ayunw.cn.cluster.local. (44)
14:45:13.438961 IP 10.20.105.252.55462 > qing-core-kube-node-srv2.domain: 60170+ A? www.ayunw.cn.paas.svc.cluster.local. (53)
14:45:13.450865 IP 10.20.105.252.42674 > qing-core-kube-node-srv2.domain: 25680+ A? www.ayunw.cn. (30)
14:45:13.451110 IP qing-core-kube-node-srv2.56396 > 172.16.0.11.domain: 25680+ A? www.ayunw.cn. (30)
^C35952 packets captured
35956 packets received by filter
0 packets dropped by kernel
复制代码
从下面抓包剖析的后果来看,www.ayunw.cn 的这个域名只有两个点,比 pod 外面 /etc/resolv.conf 文件中的 ndots 配置的值小 (ndots 的值为 5,域名的点为 2)。则会依照 search 的参数填补域名后缀,并且是依据 search 前面的程序 paas.svc.cluster.local、svc.cluster.local、cluster.local 顺次来填充的。因为依据 search 前面的本地区匹配后都没有域名解析的后果,因而他就间接解析了 www.ayunw.cn 这个域名查问到了该域名的 A 记录并且返回了后果。
通过 host 命令来进行解析
root@demo-hello-pro-master-5474b97bdf-fvbm5:/# host -v www.ayunw.cn
Trying “www.ayunw.cn.paas.svc.cluster.local”
Trying “www.ayunw.cn.svc.cluster.local”
Trying “www.ayunw.cn.cluster.local”
Trying “www.ayunw.cn”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8135
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ayunw.cn. IN A
;; ANSWER SECTION:
www.ayunw.cn. 30 IN A 134.175.123.64
;; AUTHORITY SECTION:
. 30 IN NS l.root-servers.net.
. 30 IN NS e.root-servers.net.
. 30 IN NS h.root-servers.net.
. 30 IN NS k.root-servers.net.
. 30 IN NS d.root-servers.net.
. 30 IN NS b.root-servers.net.
. 30 IN NS g.root-servers.net.
. 30 IN NS j.root-servers.net.
. 30 IN NS m.root-servers.net.
. 30 IN NS i.root-servers.net.
. 30 IN NS f.root-servers.net.
. 30 IN NS c.root-servers.net.
. 30 IN NS a.root-servers.net.
Received 461 bytes from 10.10.0.2#53 in 94 ms
Trying “www.ayunw.cn”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11085
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ayunw.cn. IN AAAA
;; AUTHORITY SECTION:
ayunw.cn. 5 IN SOA dns17.hichina.com. hostmaster.hichina.com. 2019070911 3600 1200 86400 360
Received 113 bytes from 10.10.0.2#53 in 99 ms
Trying “www.ayunw.cn”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19432
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ayunw.cn. IN MX
;; AUTHORITY SECTION:
ayunw.cn. 5 IN SOA dns17.hichina.com. hostmaster.hichina.com. 2019070911 3600 1200 86400 360
Received 113 bytes from 10.10.0.2#53 in 51 ms
复制代码
因为我的 pod 中存在三个本地区:paas.svc.cluster.local、svc.cluster.local、cluster.local,通过 host 命令能够看到,Trying 一共尝试了四次,一次依据我 search 前面的本地区进行了解析搜寻,后果没有搜寻到正确的解析,因而通过 pod 所在的宿主机本地的 /etc/resolv.conf 文件中进行了解析。
本地宿主机的 /etc/resolv.conf 的解析如下: 我这里公司用了外部 bind 服务,做了外部 dns,而后上游指向了百度的 dns。
cat /etc/resolv.conf
options rotate timeout:1
; generated by /usr/sbin/dhclient-script
nameserver 172.16.0.11
nameserver 172.16.0.12
复制代码
解析 www.jd.com 域名
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# nslookup www.jd.com
Server: 10.10.0.2
Address: 10.10.0.2#53
Non-authoritative answer:
www.jd.com canonical name = www.jd.com.gslb.qianxun.com.
www.jd.com.gslb.qianxun.com canonical name = www.jdcdn.com.
www.jdcdn.com canonical name = img20.360buyimg.com.s.galileo.jcloud-cdn.com.
img20.360buyimg.com.s.galileo.jcloud-cdn.com canonical name = img2x-sched.jcloud-cdn.com.
Name: img2x-sched.jcloud-cdn.com
Address: 113.107.249.3
复制代码
以下是抓 www.jd.com 的域名 DNS 包的后果:
[root@kube-node-srv2 ~]# tcpdump -i eth0 port 53 | grep “jd”
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:17:52.935226 IP 10.20.105.252.56775 > qing-core-kube-node-srv2.domain: 17278+ A? www.jd.com.paas.svc.cluster.local. (51)
16:17:52.947890 IP 10.20.105.252.52012 > qing-core-kube-node-srv2.domain: 12806+ A? www.jd.com. (28)
16:17:52.948150 IP qing-core-kube-node-srv2.54626 > 172.16.0.11.domain: 12806+ A? www.jd.com. (28)
16:17:53.054427 IP 172.16.0.11.domain > qing-core-kube-node-srv2.54626: 12806 5/13/0 CNAME www.jd.com.gslb.qianxun.com., CNAME www.jdcdn.com., CNAME img20.360buyimg.com.s.galileo.jcloud-cdn.com., CNAME img2x-sched.jcloud-cdn.com., A 113.107.249.3 (398)
16:17:53.054677 IP qing-core-kube-node-srv2.domain > 10.20.105.252.52012: 12806 5/13/0 CNAME www.jd.com.gslb.qianxun.com., CNAME www.jdcdn.com., CNAME img20.360buyimg.com.s.galileo.jcloud-cdn.com., CNAME img2x-sched.jcloud-cdn.com., A 113.107.249.3 (398)
复制代码
通过 host 命令检测 www.jd.com 和下面 www.ayunw.cn 一样的
root@demo-hello-pro-master-5474b97bdf-fvbm5:/# host -v www.jd.com
Trying “www.jd.com.paas.svc.cluster.local”
Trying “www.jd.com.svc.cluster.local”
Trying “www.jd.com.cluster.local”
Trying “www.jd.com”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61910
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;www.jd.com. IN A
;; ANSWER SECTION:
www.jd.com. 13 IN CNAME www.jd.com.gslb.qianxun.com.
www.jd.com.gslb.qianxun.com. 13 IN CNAME www.jdcdn.com.
www.jdcdn.com. 13 IN CNAME img20.360buyimg.com.s.galileo.jcloud-cdn.com.
img20.360buyimg.com.s.galileo.jcloud-cdn.com. 13 IN CNAME img2x-sched.jcloud-cdn.com.
img2x-sched.jcloud-cdn.com. 13 IN A 113.107.249.3
;; AUTHORITY SECTION:
. 13 IN NS f.root-servers.net.
. 13 IN NS i.root-servers.net.
. 13 IN NS d.root-servers.net.
. 13 IN NS l.root-servers.net.
. 13 IN NS j.root-servers.net.
. 13 IN NS g.root-servers.net.
. 13 IN NS k.root-servers.net.
. 13 IN NS m.root-servers.net.
. 13 IN NS h.root-servers.net.
. 13 IN NS c.root-servers.net.
. 13 IN NS a.root-servers.net.
. 13 IN NS e.root-servers.net.
. 13 IN NS b.root-servers.net.
Received 398 bytes from 10.10.0.2#53 in 5 ms
Trying “img2x-sched.jcloud-cdn.com”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64422
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;img2x-sched.jcloud-cdn.com. IN AAAA
;; AUTHORITY SECTION:
jcloud-cdn.com. 5 IN SOA ns1.jdgslb.com. apollo.jdgslb.com. 1622435242 10800 3600 604800 3600
Received 125 bytes from 10.10.0.2#53 in 4 ms
Trying “img2x-sched.jcloud-cdn.com”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43091
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;img2x-sched.jcloud-cdn.com. IN MX
;; AUTHORITY SECTION:
jcloud-cdn.com. 5 IN SOA ns1.jdgslb.com. apollo.jdgslb.com. 1622435242 10800 3600 604800 3600
Received 125 bytes from 10.10.0.2#53 in 40 ms
复制代码
查看域名的点数等于 ndots 的值 5 的域名解析
这里我有一个阿里云上的域名,做了一个 dns 解析并且测试了 4 次
root@demo-hello-perf-dev-v0-5-0-f9f9cd5c9-r27cw:/# nslookup x.y.z.v.ayunw.cn
Server: 10.10.0.2
Address: 10.10.0.2#53
Non-authoritative answer:
Name: x.y.z.v.ayunw.cn
Address: 134.175.123.64
复制代码
抓包剖析
[root@kube-node-srv2 ~]# tcpdump -i eth0 port 53 | grep “ayunw”
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:36:49.928116 IP 10.20.105.252.46581 > qing-core-kube-node-srv2.domain: 38769+ A? x.y.z.v.ayunw.cn. (34)
16:36:49.928383 IP qing-core-kube-node-srv2.59801 > 172.16.0.11.domain: 38769+ A? x.y.z.v.ayunw.cn. (34)
16:36:56.901762 IP 10.20.105.252.43844 > qing-core-kube-node-srv2.domain: 3524+ A? x.y.z.v.ayunw.cn. (34)
16:37:01.763743 IP 10.20.105.252.36053 > qing-core-kube-node-srv2.domain: 62952+ AAAA? x.y.z.v.ayunw.cn. (34)
16:37:01.764110 IP qing-core-kube-node-srv2.59801 > 172.16.0.11.domain: 62952+ AAAA? x.y.z.v.ayunw.cn. (34)
16:37:06.851820 IP 10.20.105.252.36305 > qing-core-kube-node-srv2.domain: 58393+ AAAA? x.y.z.v.ayunw.cn. (34)
16:37:06.852118 IP qing-core-kube-node-srv2.59801 > 172.16.0.11.domain: 58393+ AAAA? x.y.z.v.ayunw.cn. (34)
复制代码
从上述抓包后果能够看到,如果域名中的点等于 ndots 的值,他会间接解析域名,不会用 search 前面的本地区来填补的。可能因为我阿里云上这个域名的起因,不反对超过 5 个点的域名解析。所以超过 5 个点的域名我无奈测试。https://gitee.com/numerical-c…
https://www.bilibili.com/read…
论断
如果点的个数小于 5 个,那么会依据 search 中配置的本地区列表一次在对应域中先进行搜寻。如果没有返回,则最初再查问域名自身。如果说 search 中配置的本地区列表没有一个匹配的,那么就会走到服务器宿主机的 /etc/resolv.conf 中去解析。如果你 kubelet 中 clusterdomain 配置错了。那么 search 中没有任何一个匹配的到,间接转发到本地 DNS,走失常的递归查问逻辑。
通过以上测试发现 ndots 的值和申请的域名是相干的。为了防止屡次的 DNS 解析查问,能够将须要进行解析的域名进行绝对的优化 尽可能将域名中的点都带上,并且最好是等于 ndots 的值。比方:kubernetes.paas.svc.cluster.local。这样他就间接解析到了这个域名返回了 A 记录而不是在通过 search 前面的本地区去解析屡次。如果你解析的域名是 kubernetes.paas 他就会依据 search 前面的本地区去进行补全解析屡次了 在同一个 namespace 下能够间接解析 service 的名称。比方:nslookup kubernetes,他会补全 default.svc.cluster.local,然而为了解析失败集体倡议最好还是将域名写残缺。