Skip to main content
Version: 3.18 (latest)

Use NodeLocal DNSCache in your cluster

Big picture

Set up NodeLocal DNSCache to improve DNS lookup latency.

Before you begin

Required

Follow these steps to enable NodeLocal DNSCache connectivity.

Unsupported

  • OpenShift

NodeLocal DNSCache does not support OpenShift. Openshift has its own DNS caching mechanism which deploys CoreDNS pods as DaemonSets. For more information, see Openshift DNS setup.

Features

This how-to guide uses the following Calico features:

  • GlobalNetworkPolicies

Create a policy to allow traffic from NodeLocal DNSCache

The following is a sample network policy that allows all incoming TCP traffic (including incoming traffic from node-local-dns pods) on port 53 on kube-dns.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: default.local-dns-to-core-dns
namespace: kube-system
spec:
tier: default
selector: k8s-app == "kube-dns"
ingress:
- action: Allow
protocol: TCP
destination:
selector: k8s-app == "kube-dns"
ports:
- '53'
types:
- Ingress

To refine the sources permitted by this policy, take into account that NodeLocal DNSCache pods are host networked, and make sure to allow traffic from the addresses of your hosts. If you're using encapsulation, you will need to allow connectivity from the tunnel IPs.

The Tigera operator creates policy to allow Tigera components to connect to NodeLocal DNSCache when detected. Felix accounts for the NodeLocal DNSCache in creating DNS Logs and enforcing DNS Policy.