Need way to tell aardvark DNS to refer to a particular DNS, and not host's configured DNS
dshenai opened this issue · 13 comments
This is a request for enhancement.
Currently aardvark DNS resolves container names and for anything it can not resolve on its own, it refers to the configured resolvers on the host. Requirement is that: Need a way to tell aardvark DNS to refer to a particular DNS, and not host's configured DNS. This is because I need host to work on separate DNS and container to work on separate DNS.
I tried doing this by bind mounting a alternate_resolve.conf from host to container. It has 2 entries. First is of aardvark DNS and my second is of alternate DNS (say DNS1). Now, note that, my host has DNS2 in its resolv.conf.
Expected behavior:
For FQDNs that aardvark DNS can not resolve, my expectation is that the forward request should go to DNS1.
Observed behavior:
Instead, it goes to DNS2.
Kindly guide to understand if this is a valid requirement.
Also, as this is not working currently, is there a workaround to make it work?
Thank you
Hi @dshenai , Thanks for creating the issue.
As of now users don't directly configure aardvark-dns and not sure if there is a plan to provide any direct configuration. But I think a config via containers.conf can be opened up and podman can thus convey aardvark which resolver to use and by default it can keep using host's resolver.
Tagging other maintainers for their opinion on this @Luap99 @mheon @baude WDYT ?
We do not use the host's DNS, but the container's DNS, which defaults to the same nameservers as the host. Setting container default DNS servers in containers.conf ought to do what you want.
Okay its already there, see field dns_servers here: https://github.com/containers/common/blob/main/docs/containers.conf.5.md
We do not use the host's DNS, but the container's DNS, which defaults to the same nameservers as the host. Setting container default DNS servers in containers.conf ought to do what you want.
I don't think this is true, aardvark-dns has no access to the containers dns servers so it just uses the host /etc/resolv.conf as upstream servers:
aardvark-dns/src/dns/coredns.rs
Line 70 in d77ecad
...Did we not implement that yet? Because that was definitely in the original design doc.
Well, we have a session later today about new functionality, we can add this to it.
Thank you for your quick responses.
Is it possible to confirm that this is accepted as an enhancement?
Secondly, is there a way for now, to work around this so that the aardvark DNS talks to configured resolver inside the container? From the snippet that @Luap99 posted above, looks like this is not possible. Still being hopeful and asking the question.
Thank you
Is it possible to confirm that this is accepted as an enhancement?
Yes that is something we want to fix for sure. I don't think there is a workaround.
It'd also be great if we could completely disable using any DNS servers at all. Most of my containers don't have internet accesses (nftables firewall). Having aardvark forward requests to a DNS server in the internet allows for DNS tunneling attacks.
To make this useful this should be configurable per container though - either by having podman run multiple aardvark instances or by making aardvark aware where the request is coming from.
EDIT: I don't think that's necessary because podman adds the hosts DNS to the containers resolv.conf anyway so I can filter that via nftables.
Hi
There is slight mismatch here.
On a host how DNS resolution works: contents of resolve.conf are referred. If I update resolve.conf, I do not have to restart the host. It is plug and play.
On container with Netavark how the resolution will work as per #240: Every time I have to change the DNS, I need to restart the container. Could we not have plug and play here also?
Thank you
@dshenai Now podman allows to add custom resolvers at network level and they can be updated without restarting the container. Check https://docs.podman.io/en/latest/markdown/podman-network-update.1.html I think this should help you if i understood your problem correctly.