Last time I checked haproxy didn't support UDP which would be key for mesos-dns.
-- Tom Arnfeld Developer // DueDil (+44) 7525940046 25 Christopher Street, London, EC2A 2BS On Thu, Apr 2, 2015 at 3:53 PM, John Omernik <[email protected]> wrote: > That was my first response as well... I work at a bank, and the thought of > changing dns servers on the clients everywhere made me roll my eyes :) > John > On Thu, Apr 2, 2015 at 9:39 AM, Tom Arnfeld <[email protected]> wrote: >> This is great, thanks for sharing! >> >> It's nice to see other members of the community sharing more realistic >> implementations of DNS rather than just "update your resolv conf" and it >> works :-) >> >> -- >> >> Tom Arnfeld >> Developer // DueDil >> >> (+44) 7525940046 >> 25 Christopher Street, London, EC2A 2BS >> >> >> On Thu, Apr 2, 2015 at 3:30 PM, John Omernik <[email protected]> wrote: >> >>> Based on my earlier emails about the state of service discovery. I did >>> some research and a little writeup on how to use mesos-dns as a forward >>> lookup zone in a enterprise bind installation. I feel this is more secure, >>> and more comfortable for an enterprise DNS team as opposed to changing the >>> first resolver on every client that may interact with mesos to be the >>> mesos-dns server. Please feel free to modify/correct and include this in >>> the mesos-dns documentation if you feel it's valuable. >>> >>> >>> Goals/Thought Process >>> - Run mesos-dns on a non-standard port. (such as 8053). This allows you >>> to run it as a non-root user. >>> - While most DNS clients may not understand this (a different port), in >>> an enterprise, most DNS servers will respect a forward lookup zone with a >>> server using a different port. >>> - Setup below for BIND9 allows you to keep all your mesos servers AND >>> clients in an enterprise pointing their requests at your enterprise DNS >>> server, rather than mesos-dns. >>> - This is easier from an enterprise configuration standpoint. Make one >>> change on your dns servers, rather than adding a resolver on all the >>> clients. >>> - This is more secure in that you can run mesos-dns as non-root (53 is >>> a privileged port, 8053 is not) no sudo required >>> - For more security, you can limit connections to the mesos-dns server >>> to only your enterprise dns servers. This could help mitigate any unknown >>> vulnerabilities in mesos-dns. >>> - This allows you to HA mesos-dns in that you can specify multiple >>> resolvers for your bind configuration. >>> >>> >>> >>> >>> Bind9 Config >>> This was put into my named.conf.local It sets up the .mesos zone and >>> forwards to mesos dns. All my mesos servers already pointed at this server, >>> therefore no client changes required. >>> >>> >>> #192.168.0.100 is my host running mesos DNS >>> zone "mesos" { >>> type forward; >>> forward only; >>> forwarders { 192.168.0.100 port 8053; }; >>> }; >>> >>> >>> >>> >>> config.json mesos-dns config file. >>> I DID specify my internal DNS server in the resolvers (192.168.0.10) >>> however, I am not sure if I need to do this. Since only requests for >>> .mesos will actually be sent to mesos-dns. >>> >>> { >>> "masters": ["192.168.0.98:5050"], >>> "refreshSeconds": 60, >>> "ttl": 60, >>> "domain": "mesos", >>> "port": 8053, >>> "resolvers": ["192.168.0.10"], >>> "timeout": 5, >>> "listener": "0.0.0.0", >>> "email": "root.mesos-dns.mesos" >>> } >>> >>> >>> marathon start json >>> Note the lack of sudo here. I also constrained it to one host for now, >>> but that could change if needed. >>> >>> { >>> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns >>> -config=/mapr/brewpot/mesos/mesos-dns/config.json", >>> "cpus": 1.0, >>> "mem": 1024, >>> "id": "mesos-dns", >>> "instances": 1, >>> "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com"]] >>> } >>> >> >>
