Add the min-port=1024 setting to the dnsmasq configuration. In the course of the ongoing effort to resolve bug 1600551, we fixed an issue related to the dnsmasq configuration. Although bug 1600551 remains unresolved at this time and may have multiple underlying causes, we do want to verify and ship the change to the dnsmasq configuration. +++ This bug was initially created as a clone of Bug #1600551 +++ Description of problem: Pods are experiencing intermittent DNS lookup failures when reaching out to dnsmasq. A similar upstream issue has been reported: https://github.com/kubernetes/kubernetes/issues/45976 [...] --- Additional comment from Ryan Howe on 2018-08-09 10:28:47 EDT --- Working another OpenShift dnsmasq issue we figured the issue to happen when dnsmasq uses a low port number. Setting min-port=1024 in dnsmasq worked around the issue. --min-port=<port> Do not use ports less than that given as source for outbound DNS queries. Dnsmasq picks random ports as source for outbound queries: when this option is given, the ports used will always to larger than that specified. Useful for systems behind firewalls. Dnsmasq bug was logged: https://bugzilla.redhat.com/show_bug.cgi?id=1614331 I was not able to reproduce the issue again with this configuration in place. --- Additional comment from Ryan Howe on 2018-08-09 11:11:26 EDT --- Created PR to add this configuration via the ansible installer for OpenShift: https://github.com/openshift/openshift-ansible/pull/9505 [...]
Tested and verified in v3.7.62 [root@ip-172-18-6-36 ~]# oc version oc v3.7.62 kubernetes v1.7.6+a08f5eeb62 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://ip-172-18-6-36.ec2.internal:8443 openshift v3.7.62 kubernetes v1.7.6+a08f5eeb62 [root@ip-172-18-6-36 ~]# cat /etc/NetworkManager/dispatcher.d/99-origin-dns.sh | grep mi # couldn't find an existing method to determine if the interface owns the min-port=1024 [root@ip-172-18-6-36 ~]# cat /etc/dnsmasq.d/origin-dns.conf | grep min min-port=1024 [root@ip-172-18-6-36 ~]#