++security

Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org>
2021-06-13 21:41:06 +02:00 · 2021-06-13 21:41:06 +02:00 · 56c5be3045
commit 56c5be3045
parent 617db5a79e
1 changed files with 39 additions and 0 deletions
--- a/content/u/blog/kubernetes-making-dns-publicly-reachable/contents.lr
+++ b/content/u/blog/kubernetes-making-dns-publicly-reachable/contents.lr
@ -178,6 +178,45 @@ approaches:

 ![](/u/image/k8s-v6-v4-dns.png)

+## Does this make sense?
+
+That clearly depends on your use-case. If you want your service DNS
+records to be publicly accessible, then the clear answer is yes.
+
+If your cluster services are intended to be internal only
+(see [previous blog post](/u/blog/kubernetes-without-ingress/), then
+exposing the DNS service to the world might not be the best option.
+
+## Note on security
+
+CoreDNS inside kubernetes is by default configured to allow resolving
+for *any* client that can reach it. Thus if you make your kube-dns
+service world reachable, you also turn it into an open resolver.
+
+At the time of writing this blog article, the following coredns
+configuration **does NOT** correctly block requests:
+
+```
+  Corefile: |
+    .:53 {
+        acl k8s.place7.ungleich.ch {
+             allow net ::/0
+        }
+        acl . {
+              allow net 2a0a:e5c0:13::/48
+              block
+        }
+        forward . /etc/resolv.conf {
+           max_concurrent 1000
+        }
+...
+```
+
+Until this is solved, we recommend to place a firewall before your
+public kube-dns service to only allow requests from the forwarding DNS
+servers.
+
+
 ## More of this

 We are discussing