Use NodeLocal DNSCache in your cluster

Big picture

Set up NodeLocal DNSCache to improve DNS lookup latency.

Before you begin

Required

Follow these steps to enable NodeLocal DNSCache connectivity.

Unsupported

• OpenShift

NodeLocal DNSCache does not support OpenShift. Openshift has its own DNS caching mechanism which deploys CoreDNS pods as DaemonSets. For more information, see Openshift DNS setup.

Create a policy to allow traffic from NodeLocal DNSCache

The following is a sample network policy that allows all incoming TCP traffic (including incoming traffic from node-local-dns pods) on port 53 on kube-dns.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: default.local-dns-to-core-dns
  namespace: kube-system
spec:
  tier: default
  selector: k8s-app == "kube-dns"
  ingress:
    - action: Allow
      protocol: TCP
      destination:
        selector: k8s-app == "kube-dns"
        ports:
          - '53'
  types:
    - Ingress

To refine the sources permitted by this policy, take into account that NodeLocal DNSCache pods are host networked, and make sure to allow traffic from the addresses of your hosts. If you're using encapsulation, you will need to allow connectivity from the tunnel IPs.

The Tigera operator creates policy to allow Tigera components to connect to NodeLocal DNSCache when detected. Felix accounts for the NodeLocal DNSCache in creating DNS Logs and enforcing DNS Policy.