DNS lookups fail in Kubernetes cluster

[hisener]

After upgrading dnsjava from 2.1.9 to 3.2.2, as the summary says, DNS lookups started failing in Kubernetes cluster. IIUC, it's because we don't lookup using the root (Name.root) after this for loop.

dnsjava/src/main/java/org/xbill/DNS/Lookup.java

Lines 574 to 582 in 6f37966

	for (Name value : searchPath) {
	resolve(name, value);
	if (done) {
	return answers;
	} else if (foundAlias) {
	break;
	}
	}
	}

In other words, I was expecting something like this after that for loop:

if (!done) {
  resolve(name, Name.root);
}

But I am not 100% sure. 🤔 My tests to reproduce the issue in the cluster:

/etc/resolv.conf file:

nameserver 172.20.0.10
search default.svc.cluster.local svc.cluster.local cluster.local eu-west-1.compute.internal
options ndots:5

jshell> import org.xbill.DNS.*
jshell> ResolverConfig.getCurrentConfig().searchPath()
$2 ==> [default.svc.cluster.local., svc.cluster.local., cluster.local., eu-west-1.compute.internal.]
jshell> ResolverConfig.getCurrentConfig().ndots()
$3 ==> 5
jshell> new Lookup("gmail.com", Type.MX, DClass.IN)
$4 ==> org.xbill.DNS.Lookup@5e955596
jshell> $4.run()
$5 ==> null
jshell> $4.getResult()
$6 ==> 3
jshell> Lookup.HOST_NOT_FOUND
$7 ==> 3

If I use FQDN, it can resolve the record so it's not that we cannot resolve it within the cluster. It uses only the search paths while performing the lookup.

jshell> new Lookup("gmail.com.", Type.MX, DClass.IN)
$8 ==> org.xbill.DNS.Lookup@3ec300f1

jshell> $8.run()
$9 ==> Record[5] { gmail.com.		30	IN	MX	10 alt1.gmail-smtp-in.l.google.com., gmail.com.		30	IN	MX	20 alt2.gmail-smtp-in.l.google.com., gmail.com.		30	IN	MX	30 alt3.gmail-smtp-in.l.google.com., gmail.com.		30	IN	MX	40 alt4.gmail-smtp-in.l.google.com., gmail.com.		30	IN	MX	5 gmail-smtp-in.l.google.com. }
jshell> $8.getResult()
$10 ==> 0

This "works" in dnsjava 2.1.9 because, for some reason (maybe a bug?), ndots (ResolverConfig.getCurrentConfig().ndots()) is set to 1 with the same configuration. So we use the following code path:

dnsjava/src/main/java/org/xbill/DNS/Lookup.java

Lines 567 to 569 in 6f37966

	if (name.labels() > ndots) {
	resolve(name, Name.root);
	}

[omrico]

Seeing an issue with fetching TXT records on K8S cluster.
the DNS lookup result is always TYPE_NOT_FOUND = 4;

[ibauersachs]

The ndots issue will be fixed in the next release. I'm not sure why ndots was parsed as 1 in v2.1.9, but this is obviously wrong if the resolv.conf contains the option ndots:5.

Be aware of the performance impact the proper parsing may now have. If you're not resolving any names within the cluster, you may want to configure ndots to 1 in your pod. If you do resolve both cluster-local as well as non-cluster domain names, try to make the non-cluster names absolute.

apiVersion: v1
kind: Pod
spec:
  dnsConfig:
    options:
      - name: ndots
        value: "1"

[hisener]

Thanks for the quick fix, looking forward to the release.

Be aware of the performance impact the proper parsing may now have. If you're not resolving any names within the cluster, you may want to configure ndots to 1 in your pod. If you do resolve both cluster-local as well as non-cluster domain names, try to make the non-cluster names absolute.

We have services talking to each other within the cluster. Since dnsjava has an internal cache, we should be fine but I'll keep an eye on it, thanks for the advice.