Is it possible to add some forwarding to Rancher internal DNS server

Rancher 1.x
1

Hello,

Let me try to explain what I’m trying to achieve:

  1. I’ve got two networks in different geo-locations on Azure Cloud running Rancher server in both, plus several machines with the rancher agent.
  2. I want to make services in one network resolvable by some name from another network.
  3. I started Bind9 DNS server and RFC 2136 DNS updater from the Rancher catalog in both networks and cross link them so that the updated in one network updates DNS server in another one.
  4. In both networks I changed the network default DNS server to be the DNS server I’m running.

Everything works fine and I can resolve services residing in one network from another if I’m performing a request from the VMs like this

ping <service>.<stack>.<environment>.<domain>

The problem is that if I try to do the same from inside of a container it doesn’t work.

Here how /etc/reslove.conf looks on the VM:

search reddog.microsoft.com
nameserver 10.1.0.5
nameserver 168.63.129.16

where 10.1.0.5 my DNS server I’m using to resolve services in another network.

Here is my /etc/resolve.conf in a container (managed network).

search reddog.microsoft.com grafana.rancher.internal grafana.grafana.rancher.int
ernal rancher.internal
nameserver 169.254.169.250

Is it possible to tell Rancher internal DNS server (169.254.169.250) to forward requests of DNS records belonging to my <domain> to my DNS server 10.1.0.5?

DNS.png1456×1600 109 KB

2

The normal behavior is that containers are pointed at 169.254.169.250, which is a DNS server running in the Network Agent on the same host as the container. It responds to service discovery requests (*.rancher.internal) and proxies anything else either to the servers configured for the container or the Docker daemon.

3

Hi Vincent, thanks for your reply.

In the managed network mode, if I add my DNS IP address (10.1.0.5) into Resolving Servers and then try to cat /etc/resolve.comf inside of the container, I see the following:

search reddog.microsoft.com grafana.rancher.internal grafana.grafana.rancher.internal rancher.internal
# nameserver 10.1.0.5
nameserver 169.254.169.250

and the forwarding doesn’t work.

If I try to run a container (ubuntu:latest) specifying --dns=10.1.0.5 --dns=168.63.129.16 resolve.conf shows me

search reddog.microsoft.com
nameserver 10.1.0.5
nameserver 168.63.129.16

but the name resolution still fails.
If, in the same container, I try to specify DNS server in nslookup explicitly and try to resolve something it gives me this:

root@49c4732df485:/# nslookup
> server 10.1.0.5
Default server: 10.1.0.5
Address: 10.1.0.5#53
> bind9.bind9.default.rancher
;; reply from unexpected source: 172.17.0.1#53, expected 10.1.0.5#53
;; reply from unexpected source: 172.17.0.1#53, expected 10.1.0.5#53

Where 172.17.0.1 is the IP of docker0 interface on the machine where I’m running Docker.

Please note that the same name (bind9.bind9.default.rancher) I can successfully resolve in the VM where I’m running Docker and resolve.conf looks identical to the one in the container.

I think I can get the DNS resolution from my DNS server if I switch to the host network mode but does it mean that I’ll loose the Rancher DNS resolution at the same time and won’t be able to resolve by <service_name>.<strack_name>?

4

Problem solved, it was the changes in iptables made by rancher agent. I can successfully ping everything (rancher governed services and services in other networks resolvable by my DNS server) from a VM which is not running DNS container.