Note: this seems to be a kuberenetes routing issue from my dig results. What is interesting to me is that "something" is still responding and correctly then on the network?
Expected Behaviour:
Block double click outside of Kubernetes pod as well.
OS: Debian 11
HW: Kubernetes in Alpine Linux in ESXi on Intel NUC.
dig doubleclick.com @192.168.7.9
to return 0.0.0.0. Interestingly dig doubleclick.com +tcp @192.168.7.9
does return 0.0.0.0.
Inside pod, both return 0.0.0.0
Image being used is pihole/pihole
Actual Behaviour:
+ kubectl exec -it deployment/pihole -- dig doubleclick.com @192.168.7.9
; <<>> DiG 9.16.27-Debian <<>> doubleclick.com @192.168.7.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22463
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;doubleclick.com. IN A
;; ANSWER SECTION:
doubleclick.com. 2 IN A 0.0.0.0
;; Query time: 0 msec
;; SERVER: 192.168.7.9#53(192.168.7.9)
;; WHEN: Mon Aug 08 10:02:02 PDT 2022
;; MSG SIZE rcvd: 60
+ kubectl exec -it deployment/pihole -- dig doubleclick.com +tcp @192.168.7.9
; <<>> DiG 9.16.27-Debian <<>> doubleclick.com +tcp @192.168.7.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17769
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;doubleclick.com. IN A
;; ANSWER SECTION:
doubleclick.com. 2 IN A 0.0.0.0
;; Query time: 9 msec
;; SERVER: 192.168.7.9#53(192.168.7.9)
;; WHEN: Mon Aug 08 10:02:02 PDT 2022
;; MSG SIZE rcvd: 60
+ dig doubleclick.com @192.168.7.9
; <<>> DiG 9.18.5 <<>> doubleclick.com @192.168.7.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19712
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;doubleclick.com. IN A
;; ANSWER SECTION:
doubleclick.com. 300 IN A 142.251.215.238
;; Query time: 61 msec
;; SERVER: 192.168.7.9#53(192.168.7.9) (UDP)
;; WHEN: Mon Aug 08 10:02:02 PDT 2022
;; MSG SIZE rcvd: 60
+ dig doubleclick.com +tcp @192.168.7.9
; <<>> DiG 9.18.5 <<>> doubleclick.com +tcp @192.168.7.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32759
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;doubleclick.com. IN A
;; ANSWER SECTION:
doubleclick.com. 2 IN A 0.0.0.0
;; Query time: 9 msec
;; SERVER: 192.168.7.9#53(192.168.7.9) (TCP)
;; WHEN: Mon Aug 08 10:02:02 PDT 2022
;; MSG SIZE rcvd: 60
Kubernete Service definition
apiVersion: v1
kind: Service
metadata:
name: pihole-web
annotations:
metallb.universe.tf/allow-shared-ip: "pihole"
spec:
type: LoadBalancer
loadBalancerIP: 192.168.7.9
externalTrafficPolicy: Local
selector:
app: pihole
ports:
- name: web
port: 80
targetPort: 80
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: pihole-dns-tcp
annotations:
metallb.universe.tf/allow-shared-ip: "pihole"
spec:
type: LoadBalancer
loadBalancerIP: 192.168.7.9
externalTrafficPolicy: Local
selector:
app: pihole
ports:
- name: dns-tcp
port: 53
targetPort: 53
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: pihole-dns-udp
annotations:
metallb.universe.tf/allow-shared-ip: "pihole"
spec:
type: LoadBalancer
loadBalancerIP: 192.168.7.9
externalTrafficPolicy: Local
selector:
app: pihole
ports:
- name: dns-udp
port: 53
targetPort: 53
protocol: UDP
in the deployment,
ports:
- containerPort: 53
protocol: TCP
- containerPort: 53
protocol: UDP
- containerPort: 80
protocol: TCP
service seems to have the same endpoint?
➜ marco-polo git:(master) ✗ kubectl describe service/pihole-dns-udp service/pihole-dns-tcp
Name: pihole-dns-udp
Namespace: default
Labels: <none>
Annotations: metallb.universe.tf/allow-shared-ip: pihole
Selector: app=pihole
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.43.89.193
IPs: 10.43.89.193
IP: 192.168.7.9
LoadBalancer Ingress: 192.168.7.9
Port: dns-udp 53/UDP
TargetPort: 53/UDP
NodePort: dns-udp 32311/UDP
Endpoints: 10.42.1.46:53
Session Affinity: None
External Traffic Policy: Local
HealthCheck NodePort: 31591
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal nodeAssigned 35s (x421 over 16h) metallb-speaker announcing from node "esxi-worker" with protocol "bgp"
Name: pihole-dns-tcp
Namespace: default
Labels: <none>
Annotations: metallb.universe.tf/allow-shared-ip: pihole
Selector: app=pihole
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.43.194.51
IPs: 10.43.194.51
IP: 192.168.7.9
LoadBalancer Ingress: 192.168.7.9
Port: dns-tcp 53/TCP
TargetPort: 53/TCP
NodePort: dns-tcp 31766/TCP
Endpoints: 10.42.1.46:53
Session Affinity: None
External Traffic Policy: Local
HealthCheck NodePort: 32224
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal nodeAssigned 35s (x421 over 16h) metallb-speaker announcing from node "esxi-worker" with protocol "bgp"