59f5e37ff4
We need to correctly describe what is really happening: The dnsmasq processes in the DHCP agent act as forwarding masquerading resolvers for the instances in their particular subnets. Change-Id: I50ef9f488eb1efb8f709b75537ca4a4e9efce75a Closes-Bug: 1715842
4.5 KiB
DNS resolution for instances
The Networking service offers several methods to configure name resolution (DNS) for instances. Most deployments should implement case 1 or 2a. Case 2b requires security considerations to prevent leaking internal DNS information to instances.
Note
All of these setups require the configured DNS resolvers to be reachable from the virtual network in question. So unless the resolvers are located inside the virtual network itself, this implies the need for a router to be attached to that network having an external gateway configured.
Case 1: Each virtual network uses unique DNS resolver(s)
In this case, the DHCP agent offers one or more unique DNS resolvers to instances via DHCP on each virtual network. You can configure a DNS resolver when creating or updating a subnet. To configure more than one DNS resolver, repeat the option multiple times.
Configure a DNS resolver when creating a subnet.
$ openstack subnet create --dns-nameserver DNS_RESOLVERReplace
DNS_RESOLVERwith the IP address of a DNS resolver reachable from the virtual network. Repeat the option if you want to specify multiple IP addresses. For example:$ openstack subnet create --dns-nameserver 203.0.113.8 --dns-nameserver 198.51.100.53Note
This command requires additional options outside the scope of this content.
Add a DNS resolver to an existing subnet.
$ openstack subnet set --dns-nameserver DNS_RESOLVER SUBNET_ID_OR_NAMEReplace
DNS_RESOLVERwith the IP address of a DNS resolver reachable from the virtual network andSUBNET_ID_OR_NAMEwith the UUID or name of the subnet. For example, using theselfservicesubnet:$ openstack subnet set --dns-nameserver 203.0.113.9 selfserviceRemove all DNS resolvers from a subnet.
$ openstack subnet set --no-dns-nameservers SUBNET_ID_OR_NAMEReplace
SUBNET_ID_OR_NAMEwith the UUID or name of the subnet. For example, using theselfservicesubnet:$ openstack subnet set --no-dns-nameservers selfserviceNote
You can use this option in combination with the previous one in order to replace all existing DNS resolver addresses with new ones.
Note
When DNS resolvers are explicitly specified for a subnet this way, that setting will take precedence over the options presented in case 2.
Case 2: DHCP agents forward DNS queries from instances
In this case, the DHCP agent offers the list of all DHCP agent's IP addresses on a subnet as DNS resolver(s) to instances via DHCP on that subnet.
The DHCP agent then runs a masquerading forwarding DNS resolver with two possible options to determine where the DNS queries are sent to.
Note
The DHCP agent will answer queries for names and addresses of instances running within the virtual network directly instead of forwarding them.
Case 2a: Queries are forwarded to an explicitly configured set of DNS resolvers
In the dhcp_agent.ini file, configure one or more DNS
resolvers. To configure more than one DNS resolver, use a comma between
the values.
[DEFAULT]
dnsmasq_dns_servers = DNS_RESOLVERReplace DNS_RESOLVER with a list of IP addresses of DNS
resolvers reachable from all virtual networks. For example:
[DEFAULT]
dnsmasq_dns_servers = 203.0.113.8, 198.51.100.53Note
You must configure this option for all eligible DHCP agents and restart them to activate the values.
Case 2b: Queries are forwarded to DNS resolver(s) configured on the host
In this case, the DHCP agent forwards queries from the instances to
the DNS resolver(s) configured in the resolv.conf file on
the host running the DHCP agent. This requires these resolvers being
reachable from all virtual networks.
In the dhcp_agent.ini file, enable using the DNS
resolver(s) configured on the host.
[DEFAULT]
dnsmasq_local_resolv = TrueNote
You must configure this option for all eligible DHCP agents and restart them to activate this setting.