commitdev/zero-aws-eks-stack

Fix DNS resolution through VPN

bmonkman opened this issue · 6 comments

In #257 we added support for Wireguard VPN, though it seems like DNS resolution through the VPN is not working properly.
This is quite important to make this a useful way for people to interact with the system, so we should get it running.

Requirements (per @bmonkman )

  • Able to resolve VPC dns (like RDS domain) to internal IPs

Solutions (draft)

Server side:

  • option 1: use existing DNS server
    a. from k8s (kube-dns)
    b. from vpc (169.254.169.254)
  • option 2: create a Route53 resolver as DNS server
  • option 3: create an internal DNS server with the following options:
    a. inside wireguard pod
    b. a pod
    c. an EC2 instance

Client side: add DNS into WireGuard client configuration

DNS =

per discussion with @bmonkman , we prefer option 1.a if it covers both k8s and vpc.

Per testings, as long as I set DNS = 172.20.0.10 into WireGurard client configuration, all worked.

for confirmation:

  • DNS level
    *note: for MacOS, use its dns tool dscacheutil (rather than nslookup/dig which are not working with macOS mDNS resolver)
$ dscacheutil -q host -a name ip-10-10-81-4.us-west-2.compute.internal
name: ip-10-10-81-4.us-west-2.compute.internal
ip_address: 10.10.81.4

$ dscacheutil -q host -a name database.piggycloud2-me.svc.cluster.local
name: piggycloud2-me-stage.cmz3djbw9edx.us-west-2.rds.amazonaws.com
alias: database.piggycloud2-me.svc.cluster.local
ip_address: 10.10.10.183

$ dscacheutil -q host -a name piggycloud2-me-stage.cmz3djbw9edx.us-west-2.rds.amazonaws.com
name: piggycloud2-me-stage.cmz3djbw9edx.us-west-2.rds.amazonaws.com
ip_address: 10.10.10.183
  • TCP/IP level
$ telnet database.piggycloud2-me.svc.cluster.local 3306
Trying 10.10.10.183...
Connected to piggycloud2-me-stage.cmz3djbw9edx.us-west-2.rds.amazonaws.com.
Escape character is '^]'.
J
5.7.26Z&+%CyXZ/su=B{R_6%mysql_native_password^C
^C
Connection closed by foreign host.

PR: #111

Completed