Merge pull request #198 from ruby-no-kai/dnsdist

dns-cache: Provide DoQ using dnsdist

Author: hanazuki

gen/k8s/dns-cache/configmap.yml

@@ -0,0 +1,35 @@
+crt_path = '/secrets/tls-cert/tls.crt'
+key_path = '/secrets/tls-cert/tls.key'
+
+newServer(
+   {
+      address = '127.0.0.1:10053',
+      maxInFlight = 1000,
+   }
+)
+
+addTLSLocal(
+   '0.0.0.0:10853', crt_path, key_path,
+   {
+      maxInFlight = 1000,
+      minTLSVersion = 'tls1.3',
+   }
+)
+
+
+addDOQLocal(
+   '0.0.0.0:10853', crt_path, key_path,
+   {
+      maxInFlight = 1000,
+   }
+)
+
+webserver(
+   '0.0.0.0:9823'
+)
+setWebserverConfig(
+   {
+      acl = "127.0.0.1, 10.33.128.0/17",
+      statsRequireAuthentication = false,
+   }
+)

gen/k8s/dns-cache/deployment.yml

@@ -9,10 +9,10 @@ server:
   val-log-level: 2
 
   interface: 0.0.0.0@10053
-  interface: 0.0.0.0@10853
+#  interface: 0.0.0.0@10853
   interface: 0.0.0.0@10443
   port: 10053
-  tls-port: 10853
+#  tls-port: 10853
   https-port: 10443
   access-control: 10.33.0.0/16 allow
 
@@ -65,13 +65,15 @@ server:
   local-data: "resolver.rubykaigi.net. 300 IN HTTPS 1 . alpn=h3,h2"
   local-data: "_dns.resolver.rubykaigi.net. 300 IN SVCB 1 resolver.rubykaigi.net. alpn=**,h3,h2 dohpath=/dns-query{?dns}"
   local-data: "_dns.resolver.rubykaigi.net. 300 IN SVCB 2 resolver.rubykaigi.net. alpn=dot"
+  local-data: "_dns.resolver.rubykaigi.net. 300 IN SVCB 3 resolver.rubykaigi.net. alpn=doq"
   local-data: "_dns.resolver.rubykaigi.net. 300 IN SVCB 9 resolver.rubykaigi.net. alpn=http/1.1 dohpath=/dns-query{?dns}"
 
   # https://datatracker.ietf.org/doc/rfc9462/
   local-zone: resolver.arpa. static
   domain-insecure: resolver.arpa.
   local-data: "_dns.resolver.arpa. 300 IN SVCB 1 resolver.rubykaigi.net. alpn=**,h3,h2 ipv4hint=192.50.220.164,192.50.220.165 ipv6hint=2001:df0:8500:ca6d:53::c,2001:df0:8500:ca6d:53::d dohpath=/dns-query{?dns}"
   local-data: "_dns.resolver.arpa. 300 IN SVCB 2 resolver.rubykaigi.net. alpn=dot ipv4hint=192.50.220.164,192.50.220.165 ipv6hint=2001:df0:8500:ca6d:53::c,2001:df0:8500:ca6d:53::d"
+  local-data: "_dns.resolver.arpa. 300 IN SVCB 3 resolver.rubykaigi.net. alpn=doq ipv4hint=192.50.220.164,192.50.220.165 ipv6hint=2001:df0:8500:ca6d:53::c,2001:df0:8500:ca6d:53::d"
   local-data: "_dns.resolver.arpa. 300 IN SVCB 9 resolver.rubykaigi.net. alpn=http/1.1 ipv4hint=192.50.220.164,192.50.220.165 ipv6hint=2001:df0:8500:ca6d:53::c,2001:df0:8500:ca6d:53::d dohpath=/dns-query{?dns}"
 
   # https://datatracker.ietf.org/doc/rfc9606/

gen/k8s/dns-cache/monitoring.yml

@@ -9,6 +9,16 @@
       'unbound.conf': importstr './config/unbound.conf',
     },
   },
+  {
+    apiVersion: 'v1',
+    kind: 'ConfigMap',
+    metadata: {
+      name: 'dnsdist-config',
+    },
+    data: {
+      'dnsdist.lua': importstr './config/dnsdist.lua',
+    },
+  },
   {
     apiVersion: 'v1',
     kind: 'ConfigMap',

k8s/dns-cache/config/dnsdist.lua

@@ -53,7 +53,6 @@ local tls_cert_secret = 'cert-resolver-rubykaigi-net';
               ports: [
                 { name: 'dns', containerPort: 10053, protocol: 'UDP' },
                 { name: 'dns-tcp', containerPort: 10053, protocol: 'TCP' },
-                { name: 'dns-tls', containerPort: 10853, protocol: 'TCP' },
                 { name: 'dns-h2', containerPort: 10443, protocol: 'TCP' },
                 { name: 'prom', containerPort: 9167 },
               ],
@@ -75,6 +74,36 @@ local tls_cert_secret = 'cert-resolver-rubykaigi-net';
                 periodSeconds: 3,
               },
             },
+            {
+              name: 'dnsdist',
+              resources: {
+                requests: {
+                  cpu: '5m',
+                  memory: '32M',
+                },
+              },
+              image: '005216166247.dkr.ecr.ap-northeast-1.amazonaws.com/dnsdist:be372f5f14d6211a6aa46643c4a389fb64455246',
+              args: ['-C', '/etc/dnsdist/dnsdist.lua', '--supervised', '--disable-syslog', '--verbose'],
+              ports: [
+                { name: 'dns-tls', containerPort: 10853, protocol: 'TCP' },
+                { name: 'dns-quic', containerPort: 10853, protocol: 'UDP' },
+                { name: 'prom-dnsdist', containerPort: 9823 },
+              ],
+              env: [
+              ],
+              volumeMounts: [
+                { name: 'dnsdist-config', mountPath: '/etc/dnsdist', readOnly: true },
+                { name: 'tls-cert', mountPath: '/secrets/tls-cert', readOnly: true },
+              ],
+              readinessProbe: {
+                httpGet: { path: '/jsonstat?command=stats', port: 9823, scheme: 'HTTP' },
+              },
+              livenessProbe: {
+                httpGet: { path: '/jsonstat?command=stats', port: 9823, scheme: 'HTTP' },
+                failureThreshold: 2,
+                periodSeconds: 3,
+              },
+            },
           ],
           volumes: [
             {
@@ -83,6 +112,12 @@ local tls_cert_secret = 'cert-resolver-rubykaigi-net';
                 name: 'unbound-config',
               },
             },
+            {
+              name: 'dnsdist-config',
+              configMap: {
+                name: 'dnsdist-config',
+              },
+            },
             {
               name: 'tls-cert',
               secret: {

k8s/dns-cache/config/unbound.conf

@@ -74,6 +74,29 @@ local dnsProbes(domain) = [
     },
   },
 
+  {
+    apiVersion: 'monitoring.coreos.com/v1',
+    kind: 'PodMonitor',
+    metadata: {
+      name: 'dnsdist',
+      labels: {
+        release: 'kube-prometheus-stack',
+      },
+    },
+    spec: {
+      selector: {
+        matchLabels: {
+          'rubykaigi.org/app': 'unbound',
+        },
+      },
+      podMetricsEndpoints: [
+        {
+          port: 'prom-dnsdist',
+        },
+      ],
+    },
+  },
+
   {
     apiVersion: 'monitoring.coreos.com/v1',
     kind: 'PodMonitor',

k8s/dns-cache/configmap.jsonnet

@@ -73,10 +73,11 @@ resource "kubernetes_manifest" "targetgroupbinding-dns-cache-dns" {
 
 ###
 
+# dot & doq
 resource "aws_lb_listener" "dns-tls" {
   load_balancer_arn = aws_lb.nlb.arn
   port              = "853"
-  protocol          = "TCP"
+  protocol          = "TCP_UDP"
 
   default_action {
     type             = "forward"
@@ -88,7 +89,7 @@ resource "aws_lb_target_group" "dns-tls" {
   name        = "dns-cache-dns-${substr(uuid(), 0, 10)}"
   target_type = "ip"
   port        = local.dns_cache_dns_tls_target_port
-  protocol    = "TCP"
+  protocol    = "TCP_UDP"
   vpc_id      = data.aws_vpc.main.id
 
   connection_termination = true

k8s/dns-cache/deployment.jsonnet

@@ -28,6 +28,16 @@ resource "aws_security_group_rule" "k8s-node_dns-cache-tls" {
   cidr_blocks       = ["10.33.0.0/16"]
 }
 
+resource "aws_security_group_rule" "k8s-node_dns-cache-quic" {
+  security_group_id = data.terraform_remote_state.k8s.outputs.node_security_group
+  description       = "dns-cache-dns-tcp"
+  type              = "ingress"
+  from_port         = local.dns_cache_dns_tls_target_port
+  to_port           = local.dns_cache_dns_tls_target_port
+  protocol          = "udp"
+  cidr_blocks       = ["10.33.0.0/16"]
+}
+
 resource "aws_security_group_rule" "k8s-node_dns-cache-https" {
   security_group_id = data.terraform_remote_state.k8s.outputs.node_security_group
   description       = "dns-cache-dns-https"