We’re happy to announce we now support NodeLocal DNSCache on our managed clusters for those that need the performance improvements it provides. This also resolves issues around conntrack tables filling up on some cluster’s nodes.
NodeLocal DNSCache improves Cluster DNS performance by running a dns caching agent on cluster nodes as a DaemonSet. In today’s architecture, Pods in ClusterFirst DNS mode reach out to a kube-dns serviceIP for DNS queries. This is translated to a kube-dns/CoreDNS endpoint via iptables rules added by kube-proxy. With this new architecture, Pods will reach out to the dns caching agent running on the same node, thereby avoiding iptables DNAT rules and connection tracking. The local caching agent will query kube-dns service for cache misses of cluster hostnames(cluster.local suffix by default).
There’s several motivations why you would want to use this feature, of which we deem the following most important:
- Reduced DNS resolving latency
- Reduced conntrack entries
- Per-node DNS metrics and visibility
At this moment we don’t deploy NodeLocal DNSCache by default. However we will contact you and roll it out for some of our highest traffic clusters, or when running into any afforementioned issues related to DNS. Of course, as always, feel free to talk with your Lead if you are interested in this feature.
Once rolled-out, there is no follow-up action required on your part. Application Pods will transparently use the locally running CoreDNS cache as resolver.