Hello!

On Thu, Nov 17, 2022 at 05:17:06AM -0500, jeanpaul wrote:

> We're using Nginx as ingress controller in a Kubernetes environment. Nginx
> uses a DNS service inside k8s with 1 single service-IP and multiple DNS PODs
> behind that.
>
> The translation from service-IP to any of the multiple DNS PODs is done via
> DNAT rules.
>
> The problem:
> - Nginx establishes an UDP 'connection' on for example localIP 1.1.1.1
> source-port 12345 towards serviceIP 1.2.3.4
> - DNAT translates this as sourceport 12345 towards any DNS-POD; for example
> 2.3.4.5:53
> - If DNS-POD 2.3.4.5 terminates Nginx is not aware of this because of the
> 'connection' towards serviceIP 1.2.3.4
> - Nginx will send all future DNS request using the same tuple of
> serviceIP:sourcePort, so 1.1.1.1:12345 -> 1.2.3.4:53
> - This will result in a timeout because the destination POD isn't there
> anymore
>
> Is it possible to force Nginx to use different source UDP ports every X
> seconds, of after a timeout?

No, nginx will continue to use the same source port unless there
will be an error when sending a UDP packet, which is not going to
happen in the described setup.

Note that even if there will be a way to force nginx to use
difference source ports every X seconds, this will anyway result
in downtime till the next source port change if the DNS POD
terminates. This suggests that it might be a good idea to rethink
how DNS balancing works in your setup.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org