[vnet][7] custom DNS zones #41545
[vnet][7] custom DNS zones #41545
Conversation
nklaassen
added
the
no-changelog
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
4a1915c
to
961de46
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
166b87d
to
fbcede8
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
961de46
to
2c11c95
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
fbcede8
to
2a4bd67
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
2c11c95
to
f624bcf
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
2a4bd67
to
9e761da
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
f624bcf
to
3c6df05
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
9e761da
to
8db6469
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
3c6df05
to
7a25c49
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
8db6469
to
87d2642
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
7a25c49
to
e81ca82
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
87d2642
to
68eaa21
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
e81ca82
to
75d124e
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
68eaa21
to
921d1fc
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
75d124e
to
0967dc0
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
921d1fc
to
16a2d6b
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
0967dc0
to
903766d
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
16a2d6b
to
e98fdf9
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
903766d
to
f803aaa
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
e98fdf9
to
1812322
Compare
nklaassen
force-pushed
the
nklaassen/vnet6
branch
from
f803aaa
to
d1f86c4
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
1812322
to
70066d9
Compare
lib/vnet/app_resolver.go
Outdated
| return slices.ContainsFunc(vnetConfig.GetSpec().GetCustomDnsZones(), func(zone *vnet.CustomDNSZone) bool { | ||
| return isSubdomain(fqdn, zone.GetSuffix()) | ||
| }) |
There was a problem hiding this comment.
Does this mean we're not going to support apps that have public_addr set to a second-level domain? I've always assumed that we will. Though now that I look at the RFD, it specifically talks about *.<custom-dns-zone>.
There was a problem hiding this comment.
No it works. I assume we are talking about something like app.subdomain.customzone.com in a custom DNS zone of customzone.com, that works fine, just added a testcase for it.
There was a problem hiding this comment.
I was thinking of the app itself having public_addr set to customzone.com.
There was a problem hiding this comment.
What's going to happen with reading DNS TXT records?
https://github.com/gravitational/teleport/blob/master/rfd/0163-vnet.md#custom-dns-zones
There was a problem hiding this comment.
I was going to add it later, but this PR is pretty small, added here
nklaassen
force-pushed
the
nklaassen/vnet6
branch
2 times, most recently
from
380c137
to
2f851c6
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
5 times, most recently
from
38a7086
to
3cde216
Compare
nklaassen
force-pushed
the
nklaassen/vnet7
branch
from
3cde216
to
7beaa6a
Compare
|
|
||
| records, err := c.lookupTXT(ctx, customDNSZone) | ||
| if err != nil { | ||
| return trace.Wrap(err, "looking up TXT records for %q", customDNSZone) |
There was a problem hiding this comment.
I'm in the process of setting up a cluster so that I can fully test custom DNS zones. I wanted to check what happens when the TXT records are not set up and this is the error I got:
2024-05-31T16:47:07+02:00 DEBU [VNET] Error handling UDP conn. request:{53 fd25:36e1:3b77::2 53419 fd25:36e1:3b77::1} error:[
ERROR REPORT:
Original Error: *net.DNSError lookup <my custom DNS zone> on 1.1.1.1:53: no such host
Stack Trace:
github.com/gravitational/teleport/lib/vnet/customdnszonevalidator.go:57 github.com/gravitational/teleport/lib/vnet.(*customDNSZoneValidator).validate
github.com/gravitational/teleport/lib/vnet/app_resolver.go:200 github.com/gravitational/teleport/lib/vnet.(*TCPAppResolver).fqdnMatchesProfile
github.com/gravitational/teleport/lib/vnet/app_resolver.go:150 github.com/gravitational/teleport/lib/vnet.(*TCPAppResolver).ResolveTCPHandler
github.com/gravitational/teleport/lib/vnet/vnet.go:568 github.com/gravitational/teleport/lib/vnet.(*Manager).ResolveA.func1
golang.org/x/sync@v0.7.0/singleflight/singleflight.go:198 golang.org/x/sync/singleflight.(*Group).doCall.func2
golang.org/x/sync@v0.7.0/singleflight/singleflight.go:200 golang.org/x/sync/singleflight.(*Group).doCall
golang.org/x/sync@v0.7.0/singleflight/singleflight.go:113 golang.org/x/sync/singleflight.(*Group).Do
github.com/gravitational/teleport/lib/vnet/vnet.go:559 github.com/gravitational/teleport/lib/vnet.(*Manager).ResolveA
github.com/gravitational/teleport/lib/vnet/dns/dns.go:202 github.com/gravitational/teleport/lib/vnet/dns.(*Server).handleDNSMessage
github.com/gravitational/teleport/lib/vnet/dns/dns.go:130 github.com/gravitational/teleport/lib/vnet/dns.(*Server).HandleUDP
github.com/gravitational/teleport/lib/vnet/vnet.go:528 github.com/gravitational/teleport/lib/vnet.(*Manager).handleUDPConcurrent
github.com/gravitational/teleport/lib/vnet/vnet.go:479 github.com/gravitational/teleport/lib/vnet.(*Manager).handleUDP.func1
runtime/asm_arm64.s:1222 runtime.goexit
User Message: resolving A request for "tcp-postgres.<my custom DNS zone>."
resolving TCP handler for fqdn "tcp-postgres.<my custom DNS zone>."
validating custom DNS zone "<my custom DNS zone>" for cluster "<my cluster>"
looking up TXT records for "<my custom DNS zone>"
lookup <my custom DNS zone> on 1.1.1.1:53: no such host] vnet/vnet.go:529
2024-05-31T16:47:07+02:00 DEBU [VNET] Finished handling UDP request. request:{53 fd25:36e1:3b77::2 53419 fd25:36e1:3b77::1} vnet/vnet.go:531
2024-05-31T16:47:07+02:00 DEBU [VNET] Got HUP or ERR, canceling request context and closing UDP conn. request:{53 fd25:36e1:3b77::2 53419 fd25:36e1:3b77::1} vnet/vnet.go:520
The error says "no such host". After some googling, I found golang/go#65288 which says that net.LookupTXT returns "no such host" when there are no TXT records.
Could we maybe extend the error message here with something like are VNet TXT records set on <custom DNS zone?
|
|
||
| records, err := c.lookupTXT(ctx, customDNSZone) | ||
| if err != nil { | ||
| return trace.Wrap(err, "looking up TXT records for %q", customDNSZone) |
There was a problem hiding this comment.
Another thing: when I was just messing around with Let's Encrypt setup, I added a CNAME for my custom DNS zone. Later I wanted to add a TXT record. That's when I realized that you cannot have a CNAME and pretty much any other record set at the same time.
Do you think it's going to cause problems? Looking at DNS zones for some of the domains that I own, I see that for example Mandrill asks you to set up a TXT record under mandrill._domainkey.<your domain> instead of just <your domain>.
This is the eighth in a series of PRs implementing Teleport VNet RFD. parent
This PR adds support for custom DNS zones - which means that TCP apps with a non-default
public_addrthat is not a subdomain of the proxy address can be resolved locally with VNet.To avoid requiring the VNet DNS nameserver to handle all DNS queries on the host and check every cluster for a matching app, the complete list of custom DNS zones must be configured statically cluster-wide in the
vnet_configresource. All zones configured here will have all DNS queries for subdomains of those zones handled by VNet. If there is an app with a matchingpublic_addr, VNet will handle that request, else the DNS request will be forwarded to upstream DNS servers and the user will be able to connect to those non-VNet apps normally.