diff options
Diffstat (limited to 'man/coredns-loop.7')
| -rw-r--r-- | man/coredns-loop.7 | 28 |
1 files changed, 24 insertions, 4 deletions
diff --git a/man/coredns-loop.7 b/man/coredns-loop.7 index 87317de50..08f2fa719 100644 --- a/man/coredns-loop.7 +++ b/man/coredns-loop.7 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "COREDNS\-LOOP" "7" "October 2018" "CoreDNS" "CoreDNS plugins" +.TH "COREDNS\-LOOP" "7" "December 2018" "CoreDNS" "CoreDNS plugins" . .SH "NAME" \fIloop\fR \- detect simple forwarding loops and halt the server\. @@ -67,7 +67,15 @@ the loop must occur for at least the \fBHINFO\fR query type\. When CoreDNS logs contain the message \fBForwarding loop detected \.\.\.\fR, this means that the \fBloop\fR detection plugin has detected an infinite forwarding loop in one of the upstream DNS servers\. This is a fatal error because operating with an infinite loop will consume memory and CPU until eventual out of memory death by the host\. . .P -A forwarding loop is usually caused by: * Most commonly, CoreDNS forwarding requests directly to itself\. e\.g\. to \fB127\.0\.0\.1\fR or \fB127\.0\.0\.53\fR * Less commonly, CoreDNS forwarding to an upstream server that in turn, forwards requests back to CoreDNS\. +A forwarding loop is usually caused by: +. +.IP "\(bu" 4 +Most commonly, CoreDNS forwarding requests directly to itself\. e\.g\. via a loopback address such as \fB127\.0\.0\.1\fR, \fB::1\fR or \fB127\.0\.0\.53\fR +. +.IP "\(bu" 4 +Less commonly, CoreDNS forwarding to an upstream server that in turn, forwards requests back to CoreDNS\. +. +.IP "" 0 . .P To troubleshoot this problem, look in your Corefile for any \fBproxy\fR or \fBforward\fR to the zone in which the loop was detected\. Make sure that they are not forwarding to a local address or to another DNS server that is forwarding requests back to CoreDNS\. If \fBproxy\fR or \fBforward\fR are using a file (e\.g\. \fB/etc/resolv\.conf\fR), make sure that file does not contain local addresses\. @@ -76,7 +84,19 @@ To troubleshoot this problem, look in your Corefile for any \fBproxy\fR or \fBfo When a CoreDNS Pod deployed in Kubernetes detects a loop, the CoreDNS Pod will start to "CrashLoopBackOff"\. This is because Kubernetes will try to restart the Pod every time CoreDNS detects the loop and exits\. . .P -A common cause of forwarding loops in Kubernetes clusters is an interaction with \fBsystemd\-resolved\fR on the host node\. \fBsystemd\-resolved\fR will, in certain configurations, put \fB127\.0\.0\.53\fR as an upstream into \fB/etc/resolv\.conf\fR\. Kubernetes (\fBkubelet\fR) by default will pass this \fB/etc/resolv/conf\fR file to all Pods using the \fBdefault\fR dnsPolicy (this includes CoreDNS Pods)\. CoreDNS then uses this \fB/etc/resolv\.conf\fR as a list of upstreams to proxy/forward requests to\. Since it contains a local address, CoreDNS ends up forwarding requests to itself\. +A common cause of forwarding loops in Kubernetes clusters is an interaction with a local DNS cache on the host node (e\.g\. \fBsystemd\-resolved\fR)\. For example, in certain configurations \fBsystemd\-resolved\fR will put the loopback address \fB127\.0\.0\.53\fR as a nameserver into \fB/etc/resolv\.conf\fR\. Kubernetes (via \fBkubelet\fR) by default will pass this \fB/etc/resolv\.conf\fR file to all Pods using the \fBdefault\fR dnsPolicy rendering them unable to make DNS lookups (this includes CoreDNS Pods)\. CoreDNS uses this \fB/etc/resolv\.conf\fR as a list of upstreams to proxy/forward requests to\. Since it contains a loopback address, CoreDNS ends up forwarding requests to itself\. . .P -There are many ways to work around this issue, some are listed here: * Add the following to \fBkubelet\fR: \fB\-\-resolv\-conf /run/systemd/resolve/resolv\.conf\fR\. This flag tells \fBkubelet\fR to pass an alternate \fBresolv\.conf\fR to Pods\. For \fBsystemd\-resolved\fR, \fB/run/systemd/resolve/resolv\.conf\fR is typically the location of the "original" \fB/etc/resolv\.conf\fR\. * Disable \fBsystemd\-resolved\fR on host nodes, and restore \fB/etc/resolv\.conf\fR to the original\. * A quick and dirty fix is to edit your Corefile, replacing \fBproxy \. /etc/resolv\.conf\fR with the ip address of your upstream DNS, for example \fBproxy \. 8\.8\.8\.8\fR\. +There are many ways to work around this issue, some are listed here: +. +.IP "\(bu" 4 +Add the following to \fBkubelet\fR: \fB\-\-resolv\-conf <path\-to\-your\-real\-resolv\-conf\-file>\fR\. Your "real" \fBresolv\.conf\fR is the one that contains the actual IPs of your upstream servers, and no local/loopback address\. This flag tells \fBkubelet\fR to pass an alternate \fBresolv\.conf\fR to Pods\. For systems using \fBsystemd\-resolved\fR, \fB/run/systemd/resolve/resolv\.conf\fR is typically the location of the "real" \fBresolv\.conf\fR, although this can be different depending on your distribution\. +. +.IP "\(bu" 4 +Disable the local DNS cache on host nodes, and restore \fB/etc/resolv\.conf\fR to the original\. +. +.IP "\(bu" 4 +A quick and dirty fix is to edit your Corefile, replacing \fBproxy \. /etc/resolv\.conf\fR with the ip address of your upstream DNS, for example \fBproxy \. 8\.8\.8\.8\fR\. But this only fixes the issue for CoreDNS, kubelet will continue to forward the invalid \fBresolv\.conf\fR to all \fBdefault\fR dnsPolicy Pods, leaving them unable to resolve DNS\. +. +.IP "" 0 + |