1 of 9

Cloud Native DNS

John Belamaric <john@coredns.io>, Maintainer

Distinguished Architect, Infoblox

@johnbelamaric

2 of 9

What is CoreDNS?

  • Cloud native, authoritative DNS server written in Go
    • Not a recursive DNS server (yet...?)
  • Successor to SkyDNS2 for dynamic DNS-based service discovery
  • Flexible, plugin-based, extensible request pipeline
  • Started and led by Miek Gieben, SRE at Google
  • Supported by Infoblox and soon to be used in its SaaS offerings
  • Hosted as an inception project at CNCF

3 of 9

Why CoreDNS?

  • Need for a scalable, extensible, cloud native DNS server
    • A better SkyDNS than SkyDNS
  • CoreDNS is easily extended to support different cloud native stacks
    • Most service discovery solutions tightly tied to orchestrators
  • Unique features and integrations
    • Encrypted DNS over TLS, gRPC, or HTTPS
    • Integration with external policy servers
    • In-cluster Kubernetes DNS service discovery (kube-dns replacement)
    • Dynamic DNS-based service discovery backed by etcd
    • Many more...
  • Modern, supportable, general-purpose authoritative DNS server

4 of 9

Architecture

  • Features are contained in independent plugins
    • Logging
    • Caching
    • Metrics
    • Many more..
  • Queries routed based on zone
  • Different plugin chains for different zones

5 of 9

Plugins

  • Request Manipulators
    • Cache (positive and negative)
    • Distributed Tracing (OpenTracing)
    • DNSSEC
    • DNS Tap (from our GSoC student!)
    • Health
    • Load Balancer
    • Logging
    • Metrics (Prometheus)
    • Policy integration (out-of-tree with Themis)
    • Proxy (including over gRPC/TLS)
    • Rewrite (including EDNS0)
    • Secondary Server
    • And more...
  • Backends
    • File (ordinary zone file)
    • Auto (files in a directory - great with git-sync!)
    • Etcd (SkyDNS replacement)
    • Kubernetes (Kube-DNS replacement)
    • Hosts (/etc/hosts style files)
    • Consul (WIP)
    • Whoami
    • Other needs...?

6 of 9

CoreDNS Policy Use Case - ActiveTrust Cloud

7 of 9

CoreDNS in Kubernetes

  • Drop-in replacement for kube-dns for in-cluster DNS, with improvements!
    • Simpler with fewer moving parts (single executable and process)
    • Verified pod IPs for secure use of wildcard certificates
    • Customizable DNS entries in and out of the cluster domain
    • Experimental server-side search path to reduce query volume
  • Federation DNS provider
    • Only on-prem alternative to Route53 and Google Cloud DNS
    • Uses etcd plugin to serve federation records
    • Proposed alternate zero-touch federated DNS with or without federation control plane

8 of 9

Future Plans

  • Zero-touch DNSSEC
  • DNS Tap Support
  • gRPC-based service discovery with push
  • Service Registry API (write to etcd or other backend)
  • Multi-cluster service discovery without the federation control plane
  • Built-in policy plugin
  • Policy integration with OpenPolicyAgent
  • What the community needs!
    • Extensibility is a key feature
  • Website redesign

9 of 9

More Information