#2537 closed defect (invalid)

Host not found in resolver "kube-dns.kube-system.svc.cluster.local". Apparently 'resolver' does not work with long DNS names

Reported by: yersan@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.25.x
Keywords: ngx_http_core_module Cc:
uname -a: Linux todo-list-front-5b4c5887fd-tc2b4 5.14.0-162.22.2.el9_1.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 15 14:44:24 EDT 2023 x86_64 Linux
nginx -V: nginx version: nginx/1.24.0
built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4)
built with OpenSSL 3.0.7 1 Nov 2022 (running with OpenSSL 3.0.10 1 Aug 2023)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fomit-frame-pointer -g' --with-ld-opt=-Wl,--as-needed,-O1,--sort-common

Description

Hi, I have the following simple configuration:

/ # cat /etc/nginx/conf.d/nginx.conf
server {
    listen 8080;
    server_name $hostname;
    location / {
        root /usr/share/nginx/html;
        index index.html;
        try_files $uri $uri/ /index.html;
    }
    location /api/ {
        error_log  /var/log/nginx/api-error.log debug;
        resolver kube-dns.kube-system.svc.cluster.local valid=10s;
        set $target todo-list-backend-svc.default.svc.cluster.local;
        proxy_pass http://$target;
    }

Which gives me the following error:

/ # nginx -s reload
2023/08/26 11:16:25 [emerg] 60#60: host not found in resolver "kube-dns.kube-system.svc.cluster.local" in /etc/nginx/conf.d/nginx.conf:11
nginx: [emerg] host not found in resolver "kube-dns.kube-system.svc.cluster.local" in /etc/nginx/conf.d/nginx.conf:11

I've checked that "kube-dns.kube-system.svc.cluster.local" can be resolved locally:

/ # nslookup kube-dns.kube-system.svc.cluster.local
Server:		10.96.0.10
Address:	10.96.0.10:53


Name:	kube-dns.kube-system.svc.cluster.local
Address: 10.96.0.10

This is my /etc/resolv.conf:

/ # cat /etc/resolv.conf
nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local localdomain
options ndots:5

When I remove the "svc.cluster.local" from the DNS name, nginx is reloaded without any issue:

/ # cat /etc/nginx/conf.d/nginx.conf
server {
    listen 8080;
    server_name $hostname;
    location / {
        root /usr/share/nginx/html;
        index index.html;
        try_files $uri $uri/ /index.html;
    }
    location /api/ {
        error_log  /var/log/nginx/api-error.log debug;
        resolver kube-dns.kube-system valid=30s;
        set $target todo-list-backend-svc.default.svc.cluster.local;
        proxy_pass http://$target;
    }
/ # nginx -s reload
2023/08/26 11:20:03 [notice] 67#67: signal process started
/ #

So, what is going wrong here? It looks like resolver is unable to deal with long DNS names.

Change History (2)

comment:1 by Maxim Dounin, 16 months ago

There are no restrictions on DNS server name length in resolver. In particular, the name kube-dns.kube-system.svc.cluster.local works fine in my tests.

Rather, I would suggests this is something to do with your system resolver configuration, as nginx uses system resolver to resolve DNS server names specified in the resolver directive.

What does ping kube-dns.kube-system.svc.cluster.local show?

Note that nslookup does not use system resolver, but rather does DNS resolution of the name itself. Moreover, nslookup on Alpine does not know anything about ndots, and therefore will lookup the name as is.

My best guess is that some of the domains in your search list do return an answer for the kube-dns.kube-system.svc.cluster.local name in it, but without any addresses. And the real name is never looked up, since due to ndots:5 search list is tried first.

comment:2 by Maxim Dounin, 13 months ago

Resolution: invalid
Status: newclosed

Feedback timeout. Seems to be a resolver configuration issue.

Note: See TracTickets for help on using tickets.