New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vpn-tcp (sshuttle) method doesn't work with minikube: breaks DNS for non-kubernetes domains #160

Closed
itamarst opened this Issue Jun 2, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@itamarst
Contributor

itamarst commented Jun 2, 2017

Let's say you resolve a non-k8s domain example.com.

  1. sshuttle captures DNS queries to nameserver x.
  2. It ends it to proxy running inside Kubernetes (see remote/forwarder.py).
  3. The proxy does gethostbyname, basically, which sends it to Kube DNS.
  4. Kube DNS can't resolve it, so it moves on to normal DNS servers.
  5. (hypothesized, but I assume that's what's going on:) sshuttle captures DNS, back to step 1.

So you end up in loop.

Result is that on minikube/minishift/any sort of local k8s cluster, DNS for non-k8s domains breaks when using vpn-tcp method.

Potential solution is maybe a smarter DNS proxy that can detect non Kubernetes domains, and send them to DNS server that sshuttle isn't capturing traffic for.

@itamarst itamarst added the bug label Jun 2, 2017

@itamarst itamarst added this to Next in Telepresence Jun 6, 2017

@itamarst

This comment has been minimized.

Contributor

itamarst commented Jun 26, 2017

In real environments (e.g. AWS) we want to use local DNS servers. On minikube, though, restricting to global DNS will work for majority of people in smaller organizations.

Thus, I propose:

  1. If minikube is detected, DNS lookups in vpn-tcp mode:
    • Recreate logic in DNS libraries for domain searches, so they can do the .local lookups themselves. Probably need just enough to support Kubernetes services, no more.
    • Otherwise go to some random global dNS server chosen to be different than ones used on host machine. This will break the infinite loop.
  2. If minikube is not detected, do what we do now: proxy to the normal DNS lookup for Kubernetes.

This will break:

  1. VMs that aren't detected yet, e.g. minishift.
  2. DNS lookups that aren't available in global DNS, i.e. organization-specific DNS.

This is an improvement over current situation, though, and would allow us to make vpn-tcp the default in docs.

@itamarst itamarst moved this from Next to In progress in Telepresence Jun 27, 2017

itamarst added a commit that referenced this issue Jun 28, 2017

@itamarst itamarst removed this from In progress in Telepresence Jun 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment