DNS resolve does not work HAProxy 2.1.2 Docker

ThoroCF · January 3, 2020, 8:34pm

I’m trying to use kubernetes resolver (coredns) to resolve the servers, but it doesn’t work. I did a tcpdump of the DNS queries that HAproxy sends:

20:25:00.164952 IP jira-nginx-764f99df4f-v7r24.56180 > kube-coredns.kube-system.svc.cluster.local.domain: 13876+ [1au] Type0 (Class 7168)? jira.staging.svc.cluster.local. (60)
20:25:00.165297 IP kube-coredns.kube-system.svc.cluster.local.domain > jira-nginx-764f99df4f-v7r24.56180: 13876 FormErr- 0/0/0 (48)
20:25:00.165340 IP jira-nginx-764f99df4f-v7r24.56180 > kube-coredns.kube-system.svc.cluster.local.domain: 13876+ [1au] Type0 (Class 256)? jira.staging.svc.cluster.local. (60)
20:25:00.165710 IP kube-coredns.kube-system.svc.cluster.local.domain > jira-nginx-764f99df4f-v7r24.56180: 13876 FormErr- 0/0/0 (48)

I’m not clear why it send invalid DNS queries, Wireshark says the DNS queries are malformed.

I have tested with dig, and it returns the correct results, it also works correctly with nginx.

Config:

global
  log stdout local0
  stats socket 127.0.0.1:9000 mode 660 level admin

frontend ft_web
  mode http
  bind 127.0.0.1:8080
  default_backend bk_web
  stats enable
  stats uri /ha
  stats refresh 5s

resolvers mydns
  parse-resolv-conf
  accepted_payload_size 512

backend bk_web
  mode http
  balance roundrobin
  cookie JSESSIONID prefix nocache
  server-template jira 5 jira.staging.svc.cluster.local.:8080 check resolvers mydns init-addr none resolve-prefer ipv4

lukastribus · January 3, 2020, 8:52pm

You must not specify the trailing dot.

ThoroCF · January 5, 2020, 1:09pm

Works, thanks.

Can you explain why the trailing dot leads to an issue here?

lukastribus · January 5, 2020, 4:16pm

Haproxy takes what the users configures and put’s it into a DNS query, where a trailing dot does not belong. When the trailing dot is in there as you can see from your tcpdump, kubernetes DNS responds with a FormErr.

edit: actually that is not completely correct. The reality is that the trailing dot confuses the DNS code in haproxy leading to a unparsable DNS packet. I have filed the following issue for clarification:

github.com/haproxy/haproxy

dns: trailing dot hostname confuses code (adding null bytes where they don't belong)

opened 05:39PM - 05 Jan 20 UTC

lukastribus

At least twice reported on discourse: https://discourse.haproxy.org/t/dns-resolve-does-not-work-haproxy-2-1-2-docker/4688 https://discourse.haproxy.org/t/edns-support-udp-512-byte/1892/3 Output of haproxy -vv and uname -a lukas@dev:~/haproxy$ ./haproxy -vv HA-Proxy version 2.2-dev0-7f4f7f-105 2020/01/05 - https://haproxy.org/ Status: development branch...

1.6 1.7 1.8 1.9 2.0 2.1 dev severity: minor status: reviewed subsystem: dns type: bug

ThoroCF · January 5, 2020, 6:14pm

Thanks for raising the issue, the trailing dot is really common when you want to avoid to iterate through the search options in the resolv.conf usally.

lukastribus · January 5, 2020, 6:58pm

Not with the haproxy resolver though, because it will really only send the hostname as is, which is why FQDN (without trailing dot) is required.

However this is not the first time this comes up and it’s also not properly documented, so let’s see if this can be improved.

Topic		Replies	Views
Resolvers inside kubernetes Help!	11	4890	July 7, 2017
HAProxy won't connect resolving with Kubernetes DNS HAProxy 1.8.4 Help!	8	5272	April 4, 2019
Haproxy 1.8.13 & kubernetes service Discovery Help!	20	1844	August 10, 2018
DNS wont continue to resolve? Help!	2	1152	April 17, 2020
Consistent hash and server-template via dns resolver Help!	3	1375	May 3, 2021

DNS resolve does not work HAProxy 2.1.2 Docker

Related Topics