|
9 | 9 | You can use DNS forwarding to override the default forwarding configuration in the `/etc/resolv.conf` file in the following ways: |
10 | 10 |
|
11 | 11 | * Specify name servers for every zone. If the forwarded zone is the Ingress domain managed by {product-title}, then the upstream name server must be authorized for the domain. |
| 12 | ++ |
| 13 | +ifdef::openshift-rosa,openshift-dedicated[] |
| 14 | +[IMPORTANT] |
| 15 | +==== |
| 16 | +You must specify at least one zone. Otherwise, your cluster can lose functionality. |
| 17 | +==== |
| 18 | +endif::[] |
| 19 | ++ |
12 | 20 | * Provide a list of upstream DNS servers. |
13 | 21 | * Change the default forwarding policy. |
14 | 22 |
|
15 | 23 | [NOTE] |
16 | | -===== |
| 24 | +==== |
17 | 25 | A DNS forwarding configuration for the default domain can have both the default servers specified in the `/etc/resolv.conf` file and the upstream DNS servers. |
18 | | -===== |
| 26 | +==== |
19 | 27 |
|
20 | 28 | .Procedure |
21 | 29 |
|
|
55 | 63 | ---- |
56 | 64 | <1> Must comply with the `rfc6335` service name syntax. |
57 | 65 | <2> Must conform to the definition of a subdomain in the `rfc1123` service name syntax. The cluster domain, `cluster.local`, is an invalid subdomain for the `zones` field. |
| 66 | +ifdef::openshift-rosa,openshift-dedicated[] |
| 67 | ++ |
| 68 | +[IMPORTANT] |
| 69 | +==== |
| 70 | +Only forward to specific zones, such as your intranet. You must specify at least one zone. Otherwise, your cluster can lose functionality. |
| 71 | +==== |
| 72 | ++ |
| 73 | +endif::[] |
58 | 74 | <3> Defines the policy to select upstream resolvers. Default value is `Random`. You can also use the values `RoundRobin`, and `Sequential`. |
59 | 75 | <4> A maximum of 15 `upstreams` is allowed per `forwardPlugin`. |
60 | 76 | <5> Optional. You can use it to override the default policy and forward DNS resolution to the specified DNS resolvers (upstream resolvers) for the default domain. If you do not provide any upstream resolvers, the DNS name queries go to the servers in `/etc/resolv.conf`. |
@@ -103,6 +119,14 @@ spec: |
103 | 119 | ---- |
104 | 120 | <1> Must comply with the `rfc6335` service name syntax. |
105 | 121 | <2> Must conform to the definition of a subdomain in the `rfc1123` service name syntax. The cluster domain, `cluster.local`, is an invalid subdomain for the `zones` field. The cluster domain, `cluster.local`, is an invalid `subdomain` for `zones`. |
| 122 | +ifdef::openshift-rosa,openshift-dedicated[] |
| 123 | ++ |
| 124 | +[IMPORTANT] |
| 125 | +==== |
| 126 | +Only forward to specific zones, such as your intranet. You must specify at least one zone. Otherwise, your cluster can lose functionality. |
| 127 | +==== |
| 128 | ++ |
| 129 | +endif::[] |
106 | 130 | <3> When configuring TLS for forwarded DNS queries, set the `transport` field to have the value `TLS`. |
107 | 131 | By default, CoreDNS caches forwarded connections for 10 seconds. CoreDNS will hold a TCP connection open for those 10 seconds if no request is issued. With large clusters, ensure that your DNS server is aware that it might get many new connections to hold open because you can initiate a connection per node. Set up your DNS hierarchy accordingly to avoid performance issues. |
108 | 132 | <4> When configuring TLS for forwarded DNS queries, this is a mandatory server name used as part of the server name indication (SNI) to validate the upstream TLS server certificate. |
|
0 commit comments