KUBERNETES: How to Capture TCPDumps To Check Where CoreDNS Is Communicating To External DNS?

KUBERNETES: How to Capture TCPDumps To Check Where CoreDNS Is Communicating To External DNS?

CoreDNS communicates to DNS server over Port 53 and over UDP protocol. CoreDNS runs on Pod Network. When CoreDNS communicates to external DNS, CoreDNS sends the request over its pod network via UDP protocol to underlying host on which it is running, then NAT'ing happens and Pod network IP of coredns gets nat'ed to underlying host IP. Underlying host IP sends the request from coredns to external DNS. External DNS responds back and sends reply to underlying host on which coredns pod runs. Host then again nat's back the reply from DNS and sends it to coredns over its pod network IP.

In order to check if the communication is happening from coredns to external DNS, we have to capture tcpdumps on the host on which coredns is running on UDP protocol and port 53. Below are steps to capture tcpdumps

1) Execute below tcpdump command on the host where coredns pod is running to capture the tcpdumps on UDP and port 53.

In below command replace XX.XX.XX.XX with IP of the host where coredns pod is running, replace YY.YY.YY.YY with the IP of external DNS

sudo tcpdump -nnnni ens3 host XX.XX.XX.XX or host YY.YY.YY.YY and udp port 53

2) Connect to the coredns pod which is running on the host on which tcpdumps is executed (in above step 1). Run nslookup command on the coredns pod to query external DNS as follows for google.com for e.g.

nslookup google.com

In the tcpdumps capture you should be noticing snippets as follows showing the communication in a working scenario.

06:18:21.147166 IP 10.XX.XX.236.1171 > 169.XX.XX.XX.53: 34506+ A? google.com. (28)

06:18:21.147941 IP 169.XX.XX.XX.53 > 10.XX.XX.236.1171: 34506 1/0/0 A 142.250.70.46 (44)

06:18:21.148161 IP 10.XX.XX.XX.45357 > 169.XX.XX.XX4.53: 18678+ AAAA? google.com. (28)

06:18:21.148836 IP 169.XX.XX.XX.53 > 10.XX.XX.XX.45357: 18678 1/0/0 AAAA 2404:6800:4009:829::200e (56)