DNS Spoofing Attacks inside a Cluster

netwalker · June 16, 2020, 2:15pm

How can I protect myself against DNS spoofing attacks in a Kubernetes cluster?
For example. A customer creates a project on a node with a namespace called “com” and a service called “google”

As far as I have tested this, every DNS request within the cluster to google.com should go to the namespace mentioned above. That would be fatal.
Is there a central place where I can specify that the internal DNS (CoreDNS) is only used for internal DNS queries? The external DNS lookups should always be forwarded to the upstream DNS server.

Is there a policy or a config for this that can be used to get the problem under control?

thockin · June 16, 2020, 3:48pm

This is an unfortunate side-effect of aggressive use of search paths. There are 3 main options I see

Don’t create a “com” namespace or allow your users to do so.
Disable search paths via DNSPolicy = “None” + DNSConfig
Always use fully qualified names, including a trailing period, which pypasses any search expansion

Topic		Replies	Views
Kubernetes @ bareMetal: how to deal with DNS? General Discussions	5	3711	February 18, 2020
Support exsiting CoreDNS? General Discussions	1	326	April 1, 2021
Join K8s subdomain infrastructure with existing DNS General Discussions	1	590	January 1, 2020
DNS for discovery of NodePort services from outside the cluster General Discussions	2	3675	August 7, 2018
How should I point a DNS server to a High Availability Microk8s cluster? microk8s microk8s	2	1854	August 16, 2021

DNS Spoofing Attacks inside a Cluster

Related Topics