netpol - TCP Allow needed when switching from v1.9.3-eksbuild.7 to v1.10.1-eksbuild.[1-7] #6572
Replies: 2 comments 1 reply
-
probably the message is bigger on 1.10 then 1.9.
"To comply with DNS standards, responses sent over UDP are no more than 512 bytes in size. Responses exceeding 512 bytes are truncated and the resolver must re-issue the request over TCP." https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSBehavior.html |
Beta Was this translation helpful? Give feedback.
-
Note the I recall there being a bug that was fixed at some point regarding stripping of TC bits from upstream responses. Possibly the bug was present in 1.9.3 and fixed some time before 1.10.1 release. I don't know the exact version. Anyways, the current behavior appears correct. |
Beta Was this translation helpful? Give feedback.
-
We were having a k8s cilium networkpolicy as shown below,running on k8s 1.27
Using coredns v1.10.1-eksbuild.7 (or .1 or .4), when starting a busybox and doing a nslookup on registry.yarnpkg.com it seems to hang, no answer. coredns verbose logging shows only udp lines, but client does not get an answer.
When switching to coredns version v1.9.3-eksbuild.7 client gets an answer.
Using coredns v1.10.1-eksbuild.7 (or .1 or .4) with the networkpolicy on ANY for port 53 we were able to make it work and you can see the last two lines using tcp.
Questions:
Thoughts on the different lookup udp/tcp behaviour between
v1.9.3-eksbuild.7
andv1.10.1-eksbuild.*
would be appreciated.added:
_Maybe something in buffersize behaviour, as one of my colegues noted
116ee6f
Is there something documented on this behaviour._
Beta Was this translation helpful? Give feedback.
All reactions