Hello! On Thu, Nov 17, 2022 at 05:17:06AM -0500, jeanpaul wrote:
> We're using Nginx as ingress controller in a Kubernetes environment. Nginx > uses a DNS service inside k8s with 1 single service-IP and multiple DNS PODs > behind that. > > The translation from service-IP to any of the multiple DNS PODs is done via > DNAT rules. > > The problem: > - Nginx establishes an UDP 'connection' on for example localIP 1.1.1.1 > source-port 12345 towards serviceIP 1.2.3.4 > - DNAT translates this as sourceport 12345 towards any DNS-POD; for example > 2.3.4.5:53 > - If DNS-POD 2.3.4.5 terminates Nginx is not aware of this because of the > 'connection' towards serviceIP 1.2.3.4 > - Nginx will send all future DNS request using the same tuple of > serviceIP:sourcePort, so 1.1.1.1:12345 -> 1.2.3.4:53 > - This will result in a timeout because the destination POD isn't there > anymore > > Is it possible to force Nginx to use different source UDP ports every X > seconds, of after a timeout? No, nginx will continue to use the same source port unless there will be an error when sending a UDP packet, which is not going to happen in the described setup. Note that even if there will be a way to force nginx to use difference source ports every X seconds, this will anyway result in downtime till the next source port change if the DNS POD terminates. This suggests that it might be a good idea to rethink how DNS balancing works in your setup. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
