Use the DNS proxy feature in an ASM instance - Alibaba Cloud Service Mesh

Sidecar proxies in a Service Mesh (ASM) instance can serve as Domain Name System (DNS) proxies. When applications initiate DNS queries in an ASM instance, sidecar proxies transparently intercept the queries and provide DNS services. This topic describes how to enable and use the DNS proxy feature in ASM.

Prerequisites

An ASM instance of version 1.8.3.17 or later is created. For more information, see Create an ASM instance.
The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
Automatic sidecar proxy injection is enabled for the default namespace. For more information, see Enable automatic sidecar proxy injection.

Background information

By default, a set of DNS services is deployed in a Container Service for Kubernetes (ACK) cluster to provide DNS features for workloads. This allows applications that run in the cluster to discover other services by using the DNS services.

A DNS server runs in every Kubernetes cluster. Each pod uses the internal DNS server for DNS services. By default, sidecar proxies do not intercept DNS queries, and each application tries to resolve domain names before the application establishes connections to other services. After the DNS proxy feature is enabled in ASM, sidecar proxies transparently intercept DNS queries from applications and provide DNS services. This accelerates domain name resolution.

Enable the DNS proxy feature

Scenario 1: Enable the DNS proxy feature globally

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy Setting.
On the global tab, click DNS Proxy. Turn on Enable DNS Proxy and click Update Settings.
Restart the pod of an application so that the DNS configuration takes effect for the application.
1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
4. In the left-side navigation pane of the details page, choose Workloads > Pods.
5. On the Pods page, find the pod that you want to delete and choose More > Delete in the Actions column.
6. In the Note dialog box, click OK.
  Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.

Scenario 2: Enable the DNS proxy feature for a specific namespace

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy Setting.
On the Sidecar Proxy Setting page, click the Namespace tab.
Select a namespace from the Namespace drop-down list, click DNS Proxy, select Enable DNS Proxy, turn on the switch next to Enable DNS Proxy, and then click Update Settings.
Restart the pod of an application so that the DNS configuration takes effect for the application.
1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
4. In the left-side navigation pane of the details page, choose Workloads > Pods.
5. On the Pods page, find the pod that you want to delete and choose More > Delete in the Actions column.
6. In the Note dialog box, click OK.
  Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.

Scenario 3: Enable the DNS proxy feature for a specific pod

You can add specific annotations to the YAML file of a pod to enable the DNS proxy feature for the pod.

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Workloads > Deployments.
On the Deployments page, find the application for which you want to enable the DNS proxy feature and choose More > View in YAML in the Actions column.

In the Edit YAML dialog box, add the following annotation to the spec section, and then click Update:

annotations:
  proxy.istio.io/config: |
    proxyMetadata:
      ISTIO_META_DNS_CAPTURE: "true"
      ISTIO_META_DNS_AUTO_ALLOCATE: "true"

Restart the pod of the application so that the DNS configuration takes effect for the application.
1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
4. In the left-side navigation pane of the details page, choose Workloads > Pods.
5. On the Pods page, find the pod that you want to delete and choose More > Delete in the Actions column.
6. In the Note dialog box, click OK.
  Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.

Use the DNS proxy feature

Step 1: Create a service entry

Create a service entry to add aliyun.com to the internal service registry of your ASM instance.

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry). On the page that appears, click Create from YAML.

On the Create page, set the Namespace and Template parameters, copy the following content to the YAML code editor, and then click Create:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
 name: test1-mydnsproxying
spec:
 hosts:
 - aliyun.com
 location: MESH_EXTERNAL
 ports:
 - number: 443
   name: https
   protocol: TLS
 resolution: DNS

Step 2: Deploy a sample application

Obtain the kubeconfig file of the cluster and use kubectl to connect to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Create a file named sleep.yaml and copy the following content to the file:

Show the sleep.yaml file

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true

Run the following command to deploy the sleep application:
```
kubectl apply -f sleep.yaml
```

Run the following command to check whether the pod of the sleep application is started:

kubectl get pod |grep sleep

Expected output:

NAME                       READY   STATUS    RESTARTS   AGE
sleep-66cd8f684f-nxw8v     2/2     Running   0          16m

Step 3: Enable the DNS proxy feature for the pod of the sleep application

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Workloads > Deployments.
On the Deployments page, find the application for which you want to enable the DNS proxy feature and choose More > View in YAML in the Actions column.

In the Edit YAML dialog box, add the following annotation to the spec section, and then click Update:

annotations:
  proxy.istio.io/config: |
    proxyMetadata:
      ISTIO_META_DNS_CAPTURE: "true"
      ISTIO_META_DNS_AUTO_ALLOCATE: "true"

Restart the pod of the sleep application so that the DNS configuration takes effect for the application.
1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
4. In the left-side navigation pane of the details page, choose Workloads > Pods.
5. On the Pods page, find the pod of the sleep application and choose More > Delete in the Actions column.
6. In the Note dialog box, click OK.
  Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.

Step 4: Verify that the DNS proxy feature takes effect

View the logs of the istio-init container.
1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
4. In the left-side navigation pane of the details page, choose Workloads > Pods.
5. On the Pods page, click the name of the pod of the sleep application.
6. On the pod details page, click the Logs tab and set the Container parameter to istio-init.
  The following logs are displayed:
```
-A OUTPUT -p udp --dport 53 -d 192.168.0.10/32 -j REDIRECT --to-port 15053
-A ISTIO_OUTPUT -p tcp --dport 53 -d 192.168.0.10/32 -j REDIRECT --to-ports 15053
```
  The sidecar proxy intercepts all DNS queries from the pod of the application in the same way that the sidecar proxy intercepts other types of traffic based on iptables rules. Istio adds additional iptables rules to redirect all DNS queries that are sent to a Kubernetes DNS service, such as the CoreDNS service, on TCP or UDP port 53 to port 15053.
View the port on which the pilot-agent process listens.
1. In the left-side navigation pane of the details page, choose Workloads > Pods.
2. On the Pods page, find the pod of the sleep application and click Terminal in the Actions column. Then, click istio-proxy.
3. In the istio-proxy container, run the following command to view the port on which the pilot-agent process listens:
```
netstat -anp |grep 15053
```
  Expected output:
```
tcp        0      0 127.0.0.1:15053         0.0.0.0:*               LISTEN      1/pilot-agent
udp        0      0 127.0.0.1:15053         0.0.0.0:*                           1/pilot-agent
```
  The output indicates the pilot-agent process is listening on port 15053. All DNS queries are redirected to the pilot-agent process that runs in the istio-proxy container.
Visit aliyun.com in the sleep application.
1. In the left-side navigation pane of the details page, choose Workloads > Pods.
2. On the Pods page, find the pod of the sleep application and click Terminal in the Actions column. Then, click sleep.
3. Run the following command in the sleep container to visit aliyun.com:
```
curl -v https://aliyun.com
```
  Expected output:
```
*   Trying 240.240.**.**:443...
* Connected to aliyun.com (240.240.**.**) port 443 (#0)
```
  The output indicates that the IP address 240.240.**.** is returned. The IP address is not an actual public IP address. Instead, it is a virtual IP address that is automatically assigned by the ASM instance. This is because the ASM instance uses iptables to intercept requests that are sent to the kube-dns service and routes the requests to the sidecar proxy that runs in the pod of the sleep application. After the pod of the sleep application resolves aliyun.com to a virtual IP address and sends a request, the virtual IP address is translated into the actual public IP address that is resolved by the sidecar proxy.

Enable debug logs for the DNS proxy feature

After you enable debug logs for the DNS proxy feature, the pilot-agent process records every DNS query that is initiated from the application container.

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Workloads > Deployments.
On the Deployments page, find the application for which you want to enable the DNS proxy feature and choose More > View in YAML in the Actions column.
In the Edit YAML dialog box, add the following annotation to the spec section, and then click Update:
```
annotations:
  sidecar.istio.io/agentLogLevel: "dns:debug"
```

Run the following command in the cluster to view debug logs:

kubectl logs -n default sleep-85fdfd8896-2ctq4 -c istio-proxy | grep debug

Show the expected output

2022-03-28T12:15:05.064562Z    debug    dns    request ;; opcode: QUERY, status: NOERROR, id: 16390
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     AAAA
    protocol=udp edns=false id=1c71c9f1-e051-49e9-8d04-d7c82ee****
2022-03-28T12:15:05.064572Z    debug    dns    request ;; opcode: QUERY, status: NOERROR, id: 16016
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     A
    protocol=udp edns=false id=4cec8078-5355-4d1b-b496-ab57367****
2022-03-28T12:15:05.064593Z    debug    dns    response for hostname "alibabacloud.com.default.svc.cluster.local." (found=true): ;; opcode: QUERY, status: NOERROR, id: 16390
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     AAAA
    protocol=udp edns=false id=1c71c9f1-e051-49e9-8d04-d7c82ee****
2022-03-28T12:15:05.064614Z    debug    dns    response for hostname "alibabacloud.com.default.svc.cluster.local." (found=true): ;; opcode: QUERY, status: NOERROR, id: 16016
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     A

;; ANSWER SECTION:
alibabacloud.com.default.svc.cluster.local.    30    IN    CNAME    alibabacloud.com.
alibabacloud.com.    30    IN    A    240.240.**.**
    protocol=udp edns=false id=4cec8078-5355-4d1b-b496-ab573670****

The log entries that contain found=true indicate that the domain names are found in the local registry for DNS queries and the domain names are resolved.