Local DNSSEC resolver & Containers
Colin Walters
walters at verbum.org
Mon Aug 24 15:03:52 UTC 2015
On Tue, Jul 14, 2015, at 09:57 AM, P J P wrote:
> Hello,
>
>
> -> https://lists.fedoraproject.org/pipermail/cloud/2015-January/004867.html
>
>
> As per the previous discussion above, I was able to use iptables(8) DNAT rule to divert DNS traffic from Docker containers to a DNSSEC resolver on the host at 127.0.0.1:53.
Thanks for posting this! It's quite useful to have any progress in this area.
One problem with this is you're capturing *all* traffic to port 53, but I can imagine
valid use cases for skipping the local resolver. We're already seen one with the
hotspot detection.
Another more complex problem is that while your solution will work for the
docker defaults, it's quite common to use something other than the defaults for
clustered networking for e.g. Kubernetes.
At a practical level, this means all tools that interact with Docker networking
configuration like flannel and openshift-sdn will have to understand how to
configure this.
I'd still personally like to see unbound support a Unix domain socket or kdbus.
It'd require NSS configuration in the container, but it avoids all sorts of hacks
around container networking for local communication.
More information about the cloud
mailing list