Hey all, any one had issues with dns resolution for the service and the pod in m . . .

Kubernetes-Slack Discussions
#1

SaidBen:
Hey all, any one had issues with dns resolution for the service and the pod in mock exam# 2 question# 7?

Question: Create an nginx pod called nginx-resolver using image nginx, expose it internally with a service called nginx-resolver-service. Test that you are able to look up the service and pod names from within the cluster. Use the image: busybox:1.28 for dns lookup. Record results in /root/CKA/nginx.svc and /root/CKA/nginx.pod

ERROR: here is the error I am getting when running nslookup in a busybox po that is running in the same ‘default’ namespace as the pod and service in question:

$ k exec busybox -it – sh
/ # nslookup nginx-resolver-service
Server: 10.96.0.10
Address: 10.96.0.10:53
** server can’t find nginx-resolver-service.default.svc.cluster.local: NXDOMAIN
*** Can’t find nginx-resolver-service.svc.cluster.local: No answer
*** Can’t find nginx-resolver-service.cluster.local: No answer
*** Can’t find nginx-resolver-service.default.svc.cluster.local: No answer
*** Can’t find nginx-resolver-service.svc.cluster.local: No answer
*** Can’t find nginx-resolver-service.cluster.local: No answer

/ # nslookup 10-244-1-9.default.pod.cluster.local
Server: 10.96.0.10
Address: 10.96.0.10:53
*** Can’t find 10-244-1-9.default.pod.cluster.local: No answer
*** Can’t find 10-244-1-9.default.pod.cluster.local: No answer

#2

Gurudutt Dongre:
Did you use busybox:1.28?

#3

unnivkn:
try this : k run dns-test --image=busybox --rm --restart=Never -it – sh #nslookup 10-244-1-9.default.pod.cluster.local

#4

I Malla:
@unnivkn when should we use :

 k run testpod --image=busybox --rm --restart=Never -it -- sh -- nslookup nginx-resolver-service

AND

 k run testpod --image=busybox --rm --restart=Never --t --sh -- nc -z -v -w 2 nginx-resolver-service 80
#5

Malayamanas Panda:
@I Malla

1st one to test CoreDNS dynamic DNS registration for the service / object, here it assumes the testpod and test object hostname , are in same namespace. Otherwise, do nslookup with FQDN i.e objectname.type.ns.cluster.local

2nd one to test whether the target object listens on port 80 with nc command. Check “man nc” for -z - v -w 2 meaning.

#6

I Malla:
Thank you @Malayamanas Panda again :slightly_smiling_face:
In mock exam 3 , there is a question related to network policy where below mention command is used to check if 80 port is accessible.

 k run testpod --image=busybox --rm --restart=Never --t --sh -- nc -z -v -w 2 nginx-resolver-service 80

I was wondering why nslookup was not used in this case . But now after your explanation it makes sense that we use this command to check specific port i.e 80 in this case .

Again I have 3 more queries.
1 . Above command with nc is used to see the 80 port of service not the 80 port of the endpoint i.e pod ? right or wrong?

  1. I am confused what happens if the service port is 80 and targetPort is 8000 ? Will nc work ?
    How will network policy behave in such case ? Maybe i should go back to theory again but your reply would be informative

  2. When i tried nslookup before creating the network policy to allow traffic from 80 port in same question , it basically shows the data from CoreDNS . Is my understanding right or wrong ? It does not have any relation to connectivity test with 80 port ?

#7

Malayamanas Panda:
1 . Above command with nc is used to see the 80 port of service not the 80 port of the endpoint i.e pod ? right or wrong?

nc hits the service namely nginx-resolver-service

  1. I am confused what happens if the service port is 80 and targetPort is 8000 ? Will nc work ?
    How will network policy behave in such case ? Maybe i should go back to theory again but your reply would be informative

yes , it will work fine because service forwards traffic hitting port 80 to end point(s) target port 8000

  1. When i tried nslookup before creating the network policy to allow traffic from 80 port in same question , it basically shows the data from CoreDNS . Is my understanding right or wrong ? It does not have any relation to connectivity test with 80 port ?

yes, it is a dns lookup only and for that you need to allow TCP (not really required, TCP used for zone transfer between DNS servers) and UDP (required for DNS query by dns clients) port 53 in the network policy that is applied to testpod.

#8

SaidBen:
I remember when I’ve worked on this same question last week, nslookup worked like a charm for the service and the pod as well. Does it matter which busybox image we use to run nslookup? :1.28 vs. :latest? Just a side note, netpol will break dns name resolution if you are blocking egress or ingress traffic to or from coredns pods,