Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need way to tell aardvark DNS to refer to a particular DNS, and not host's configured DNS #228

Closed
dshenai opened this issue Sep 20, 2022 · 13 comments
Closed

Need way to tell aardvark DNS to refer to a particular DNS, and not host's configured DNS #228

dshenai opened this issue Sep 20, 2022 · 13 comments
Labels
kind/feature

Comments

@dshenai
Copy link

dshenai commented Sep 20, 2022
edited

This is a request for enhancement.

Currently aardvark DNS resolves container names and for anything it can not resolve on its own, it refers to the configured resolvers on the host. Requirement is that: Need a way to tell aardvark DNS to refer to a particular DNS, and not host's configured DNS. This is because I need host to work on separate DNS and container to work on separate DNS.

I tried doing this by bind mounting a alternate_resolve.conf from host to container. It has 2 entries. First is of aardvark DNS and my second is of alternate DNS (say DNS1). Now, note that, my host has DNS2 in its resolv.conf.
Expected behavior:
For FQDNs that aardvark DNS can not resolve, my expectation is that the forward request should go to DNS1.
Observed behavior:
Instead, it goes to DNS2.

Kindly guide to understand if this is a valid requirement.
Also, as this is not working currently, is there a workaround to make it work?

Thank you
@flouthoc
Copy link
Collaborator

Hi @dshenai , Thanks for creating the issue.

As of now users don't directly configure aardvark-dns and not sure if there is a plan to provide any direct configuration. But I think a config via containers.conf can be opened up and podman can thus convey aardvark which resolver to use and by default it can keep using host's resolver.

Tagging other maintainers for their opinion on this @Luap99 @mheon @baude WDYT ?

@mheon
Copy link
Member

mheon commented Sep 20, 2022

We do not use the host's DNS, but the container's DNS, which defaults to the same nameservers as the host. Setting container default DNS servers in containers.conf ought to do what you want.

@flouthoc
Copy link
Collaborator

Okay its already there, see field dns_servers here: https://github.com/containers/common/blob/main/docs/containers.conf.5.md

@Luap99
Copy link
Member

Luap99 commented Sep 20, 2022

We do not use the host's DNS, but the container's DNS, which defaults to the same nameservers as the host. Setting container default DNS servers in containers.conf ought to do what you want.

I don't think this is true, aardvark-dns has no access to the containers dns servers so it just uses the host /etc/resolv.conf as upstream servers:

aardvark-dns/src/dns/coredns.rs

Line 70 in d77ecad

if let Ok(mut f) = File::open("/etc/resolv.conf") {

@mheon
Copy link
Member

mheon commented Sep 20, 2022

...Did we not implement that yet? Because that was definitely in the original design doc.

@mheon
Copy link
Member

mheon commented Sep 20, 2022

Well, we have a session later today about new functionality, we can add this to it.

@dshenai
Copy link
Author

dshenai commented Sep 21, 2022

Thank you for your quick responses.
Is it possible to confirm that this is accepted as an enhancement?

Secondly, is there a way for now, to work around this so that the aardvark DNS talks to configured resolver inside the container? From the snippet that @Luap99 posted above, looks like this is not possible. Still being hopeful and asking the question.

Thank you

@Luap99
Copy link
Member

Luap99 commented Sep 21, 2022

Is it possible to confirm that this is accepted as an enhancement?

Yes that is something we want to fix for sure. I don't think there is a workaround.

@M1cha
Copy link

M1cha commented Nov 20, 2022
edited

It'd also be great if we could completely disable using any DNS servers at all. Most of my containers don't have internet accesses (nftables firewall). Having aardvark forward requests to a DNS server in the internet allows for DNS tunneling attacks.

To make this useful this should be configurable per container though - either by having podman run multiple aardvark instances or by making aardvark aware where the request is coming from.
EDIT: I don't think that's necessary because podman adds the hosts DNS to the containers resolv.conf anyway so I can filter that via nftables.

@Luap99
Copy link
Member

Luap99 commented May 10, 2023

This was fixed a while back in #240 AFAIK, so closing this.

@Luap99 Luap99 closed this as completed May 10, 2023
@dshenai
Copy link
Author

dshenai commented May 10, 2023

Hi
There is slight mismatch here.
On a host how DNS resolution works: contents of resolve.conf are referred. If I update resolve.conf, I do not have to restart the host. It is plug and play.
On container with Netavark how the resolution will work as per #240: Every time I have to change the DNS, I need to restart the container. Could we not have plug and play here also?
Thank you

@flouthoc
Copy link
Collaborator

@dshenai Now podman allows to add custom resolvers at network level and they can be updated without restarting the container. Check https://docs.podman.io/en/latest/markdown/podman-network-update.1.html I think this should help you if i understood your problem correctly.

@dshenai
Copy link
Author

dshenai commented May 11, 2023

Thanks @flouthoc. That link proved helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@M1cha @mheon @baude @flouthoc @Luap99 @dshenai