From 56c5be30452d80073de1da4db71a350710eb32d6 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sun, 13 Jun 2021 21:41:06 +0200 Subject: [PATCH] ++security Signed-off-by: Nico Schottelius --- .../contents.lr | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/content/u/blog/kubernetes-making-dns-publicly-reachable/contents.lr b/content/u/blog/kubernetes-making-dns-publicly-reachable/contents.lr index 0970ed0..39e7e2a 100644 --- a/content/u/blog/kubernetes-making-dns-publicly-reachable/contents.lr +++ b/content/u/blog/kubernetes-making-dns-publicly-reachable/contents.lr @@ -178,6 +178,45 @@ approaches: ![](/u/image/k8s-v6-v4-dns.png) +## Does this make sense? + +That clearly depends on your use-case. If you want your service DNS +records to be publicly accessible, then the clear answer is yes. + +If your cluster services are intended to be internal only +(see [previous blog post](/u/blog/kubernetes-without-ingress/), then +exposing the DNS service to the world might not be the best option. + +## Note on security + +CoreDNS inside kubernetes is by default configured to allow resolving +for *any* client that can reach it. Thus if you make your kube-dns +service world reachable, you also turn it into an open resolver. + +At the time of writing this blog article, the following coredns +configuration **does NOT** correctly block requests: + +``` + Corefile: | + .:53 { + acl k8s.place7.ungleich.ch { + allow net ::/0 + } + acl . { + allow net 2a0a:e5c0:13::/48 + block + } + forward . /etc/resolv.conf { + max_concurrent 1000 + } +... +``` + +Until this is solved, we recommend to place a firewall before your +public kube-dns service to only allow requests from the forwarding DNS +servers. + + ## More of this We are discussing