-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[vnet][7] custom DNS zones #41545
base: master
Are you sure you want to change the base?
[vnet][7] custom DNS zones #41545
Conversation
4a1915c
to
961de46
Compare
166b87d
to
fbcede8
Compare
961de46
to
2c11c95
Compare
fbcede8
to
2a4bd67
Compare
2c11c95
to
f624bcf
Compare
2a4bd67
to
9e761da
Compare
f624bcf
to
3c6df05
Compare
9e761da
to
8db6469
Compare
3c6df05
to
7a25c49
Compare
8db6469
to
87d2642
Compare
7a25c49
to
e81ca82
Compare
87d2642
to
68eaa21
Compare
e81ca82
to
75d124e
Compare
68eaa21
to
921d1fc
Compare
75d124e
to
0967dc0
Compare
921d1fc
to
16a2d6b
Compare
0967dc0
to
903766d
Compare
16a2d6b
to
e98fdf9
Compare
903766d
to
f803aaa
Compare
e98fdf9
to
1812322
Compare
f803aaa
to
d1f86c4
Compare
1812322
to
70066d9
Compare
lib/vnet/app_resolver.go
Outdated
return slices.ContainsFunc(vnetConfig.GetSpec().GetCustomDnsZones(), func(zone *vnet.CustomDNSZone) bool { | ||
return isSubdomain(fqdn, zone.GetSuffix()) | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean we're not going to support apps that have public_addr
set to a second-level domain? I've always assumed that we will. Though now that I look at the RFD, it specifically talks about *.<custom-dns-zone>
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No it works. I assume we are talking about something like app.subdomain.customzone.com
in a custom DNS zone of customzone.com
, that works fine, just added a testcase for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking of the app itself having public_addr
set to customzone.com
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's going to happen with reading DNS TXT records?
https://github.com/gravitational/teleport/blob/master/rfd/0163-vnet.md#custom-dns-zones
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was going to add it later, but this PR is pretty small, added here
380c137
to
2f851c6
Compare
38a7086
to
3cde216
Compare
3cde216
to
7beaa6a
Compare
|
||
records, err := c.lookupTXT(ctx, customDNSZone) | ||
if err != nil { | ||
return trace.Wrap(err, "looking up TXT records for %q", customDNSZone) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm in the process of setting up a cluster so that I can fully test custom DNS zones. I wanted to check what happens when the TXT records are not set up and this is the error I got:
2024-05-31T16:47:07+02:00 DEBU [VNET] Error handling UDP conn. request:{53 fd25:36e1:3b77::2 53419 fd25:36e1:3b77::1} error:[
ERROR REPORT:
Original Error: *net.DNSError lookup <my custom DNS zone> on 1.1.1.1:53: no such host
Stack Trace:
github.com/gravitational/teleport/lib/vnet/customdnszonevalidator.go:57 github.com/gravitational/teleport/lib/vnet.(*customDNSZoneValidator).validate
github.com/gravitational/teleport/lib/vnet/app_resolver.go:200 github.com/gravitational/teleport/lib/vnet.(*TCPAppResolver).fqdnMatchesProfile
github.com/gravitational/teleport/lib/vnet/app_resolver.go:150 github.com/gravitational/teleport/lib/vnet.(*TCPAppResolver).ResolveTCPHandler
github.com/gravitational/teleport/lib/vnet/vnet.go:568 github.com/gravitational/teleport/lib/vnet.(*Manager).ResolveA.func1
golang.org/x/sync@v0.7.0/singleflight/singleflight.go:198 golang.org/x/sync/singleflight.(*Group).doCall.func2
golang.org/x/sync@v0.7.0/singleflight/singleflight.go:200 golang.org/x/sync/singleflight.(*Group).doCall
golang.org/x/sync@v0.7.0/singleflight/singleflight.go:113 golang.org/x/sync/singleflight.(*Group).Do
github.com/gravitational/teleport/lib/vnet/vnet.go:559 github.com/gravitational/teleport/lib/vnet.(*Manager).ResolveA
github.com/gravitational/teleport/lib/vnet/dns/dns.go:202 github.com/gravitational/teleport/lib/vnet/dns.(*Server).handleDNSMessage
github.com/gravitational/teleport/lib/vnet/dns/dns.go:130 github.com/gravitational/teleport/lib/vnet/dns.(*Server).HandleUDP
github.com/gravitational/teleport/lib/vnet/vnet.go:528 github.com/gravitational/teleport/lib/vnet.(*Manager).handleUDPConcurrent
github.com/gravitational/teleport/lib/vnet/vnet.go:479 github.com/gravitational/teleport/lib/vnet.(*Manager).handleUDP.func1
runtime/asm_arm64.s:1222 runtime.goexit
User Message: resolving A request for "tcp-postgres.<my custom DNS zone>."
resolving TCP handler for fqdn "tcp-postgres.<my custom DNS zone>."
validating custom DNS zone "<my custom DNS zone>" for cluster "<my cluster>"
looking up TXT records for "<my custom DNS zone>"
lookup <my custom DNS zone> on 1.1.1.1:53: no such host] vnet/vnet.go:529
2024-05-31T16:47:07+02:00 DEBU [VNET] Finished handling UDP request. request:{53 fd25:36e1:3b77::2 53419 fd25:36e1:3b77::1} vnet/vnet.go:531
2024-05-31T16:47:07+02:00 DEBU [VNET] Got HUP or ERR, canceling request context and closing UDP conn. request:{53 fd25:36e1:3b77::2 53419 fd25:36e1:3b77::1} vnet/vnet.go:520
The error says "no such host". After some googling, I found golang/go#65288 which says that net.LookupTXT
returns "no such host" when there are no TXT records.
Could we maybe extend the error message here with something like are VNet TXT records set on <custom DNS zone?
|
||
records, err := c.lookupTXT(ctx, customDNSZone) | ||
if err != nil { | ||
return trace.Wrap(err, "looking up TXT records for %q", customDNSZone) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another thing: when I was just messing around with Let's Encrypt setup, I added a CNAME for my custom DNS zone. Later I wanted to add a TXT record. That's when I realized that you cannot have a CNAME and pretty much any other record set at the same time.
Do you think it's going to cause problems? Looking at DNS zones for some of the domains that I own, I see that for example Mandrill asks you to set up a TXT record under mandrill._domainkey.<your domain>
instead of just <your domain>
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It required a bit of time, but I finally managed to set up a self-hosted server to test this and I can confirm that it works.
This is the eighth in a series of PRs implementing Teleport VNet RFD. parent
This PR adds support for custom DNS zones - which means that TCP apps with a non-default
public_addr
that is not a subdomain of the proxy address can be resolved locally with VNet.To avoid requiring the VNet DNS nameserver to handle all DNS queries on the host and check every cluster for a matching app, the complete list of custom DNS zones must be configured statically cluster-wide in the
vnet_config
resource. All zones configured here will have all DNS queries for subdomains of those zones handled by VNet. If there is an app with a matchingpublic_addr
, VNet will handle that request, else the DNS request will be forwarded to upstream DNS servers and the user will be able to connect to those non-VNet apps normally.