Bug 1709178 - DNS names at egressnetworkpolicies causing heavily querying DNS servers
Summary: DNS names at egressnetworkpolicies causing heavily querying DNS servers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.11.0
Hardware: x86_64
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 3.11.z
Assignee: Casey Callendrello
QA Contact: zhaozhanqi
URL:
Whiteboard:
: 1741295 (view as bug list)
Depends On:
Blocks: 1768702
TreeView+ depends on / blocked
 
Reported: 2019-05-13 07:06 UTC by Abhishek
Modified: 2020-04-06 09:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1768702 (view as bug list)
Environment:
Last Closed: 2019-11-19 14:36:02 UTC
Target Upstream Version:
cdc: needinfo-

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 22855 0 'None' closed Bug 1709178: Prevent egress DNS request flooding 2020-09-04 11:37:17 UTC
Github openshift origin pull 23904 0 'None' closed Bug 1709178: Prevent egress DNS request flooding 2020-09-04 11:37:17 UTC
Red Hat Product Errata RHBA-2019:1753 0 None None None 2019-07-23 19:56:35 UTC

Description Abhishek 2019-05-13 07:06:01 UTC 
Description of problem: The dnsName in the egressnetworkpolicy causing around thousand DNS queries raised to the DNS server without any application pod running on OCP cluster. Only infra related pods are running.

OCP version: 3.11
Comment 8 Dan Mace 2019-05-17 14:53:14 UTC 
Possible fix: https://github.com/openshift/origin/pull/22855
Comment 10 zhaozhanqi 2019-07-11 07:49:14 UTC 
Verified this bug on v3.11.128

with steps:

1. setup one cluster with 1 master with compute node and infra node
2. Create project z1 and test pod on compute node
3. Create the egressnetworkpolicy in z1 with https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/egress-ingress/dns-egresspolicy1.json
4. rsh in the test pod
   ping yahoo.com
5. During the ping. capture DNS package in compute node and infra node with
   `tcpdump -i eth0 -nn port 53`

6. Check all package are captured with compute node and No package can be captured.
7. also using winshark to capture the package on compute node and did not found the dns.resp.ttl==0
Comment 12 errata-xmlrpc 2019-07-23 19:56:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1753
Comment 13 Dan Mace 2019-10-02 20:14:37 UTC 
I made a mistake and failed to merge the patch to the origin release-3.11 branch and so never shipped in 3.x.
Comment 14 Dan Mace 2019-10-02 20:17:20 UTC 
*** Bug 1741295 has been marked as a duplicate of this bug. ***
Comment 16 kedar 2019-11-18 06:10:44 UTC 
Hello,

Any updates on this?
Comment 18 Dan Mace 2019-11-19 12:47:37 UTC 
The patch landed in the 3.11 branch here: https://github.com/openshift/origin/pull/23904

Moving to ON_QA. Sorry about that.
Note You need to log in before you can comment on or make changes to this bug.