3 min read | by Jordi Prats
Kubernetes, by default, registers all the Pods and services using the cluster.local DNS zone. At some point we might want to be able to take a look at this zone. Zone transfers are going to be restricted by default:
dnstools# dig axfr cluster.local
; <<>> DiG 9.11.3 <<>> axfr cluster.local
;; global options: +cmd
; Transfer failed.
But if we are using CoreDNS, we can configure it to temporally allow zone transfers to be able to take a look at it
To do so we'll have to edit a ConfigMap called codedns that, most likely, is going to sit on the kube-system namespace. Allowing the zone transfers can be configured using the transfer block. For example, to allow zone transfers to any client (be careful with this) we can configure it as follows:
kind: ConfigMap
apiVersion: v1
metadata:
name: coredns
namespace: kube-system
(...)
data:
Corefile: |
.:53 {
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
transfer {
to *
}
}
CoreDNS is going to automatically reload it's configuration, it can take up to a couple of minutes.
To be able to start the zone transfer we can use the infoblox/dnstools container that has dig installed:
$ kubectl run -it --rm --image=infoblox/dnstools:latest dnstools
Once we are connected to the Pod we can start the zone transfer using axfr as follows:
dnstools# dig axfr cluster.local
; <<>> DiG 9.11.3 <<>> axfr cluster.local
;; global options: +cmd
cluster.local. 5 IN SOA ns.dns.cluster.local. hostmaster.cluster.local. 1650633547 7200 1800 86400 5
autoscaler-aws-cluster-autoscaler.autoscaler.svc.cluster.local. 5 IN A 172.22.218.153
autoscaler-aws-cluster-autoscaler.autoscaler.svc.cluster.local. 5 IN SRV 0 100 8085 autoscaler-aws-cluster-autoscaler.autoscaler.svc.cluster.local.
_http._tcp.autoscaler-aws-cluster-autoscaler.autoscaler.svc.cluster.local. 5 IN SRV 0 100 8085 autoscaler-aws-cluster-autoscaler.autoscaler.svc.cluster.local.
aws-load-balancer-webhook-service.alb-controller.svc.cluster.local. 5 IN A 172.22.110.122
aws-load-balancer-webhook-service.alb-controller.svc.cluster.local. 5 IN SRV 0 100 443 aws-load-balancer-webhook-service.alb-controller.svc.cluster.local.
(...)
cluster.local. 5 IN SOA ns.dns.cluster.local. hostmaster.cluster.local. 1650633547 7200 1800 86400 5
;; Query time: 3 msec
;; SERVER: 172.22.0.10#53(172.22.0.10)
;; WHEN: Fri Apr 22 23:26:08 UTC 2022
;; XFR size: 206 records (messages 1, bytes 21254)
dnstools#
Posted on 25/04/2022