DNS Spoofing Attacks inside a Cluster

netwalker · June 16, 2020, 2:15pm

How can I protect myself against DNS spoofing attacks in a Kubernetes cluster?
For example. A customer creates a project on a node with a namespace called “com” and a service called “google”

As far as I have tested this, every DNS request within the cluster to google.com should go to the namespace mentioned above. That would be fatal.
Is there a central place where I can specify that the internal DNS (CoreDNS) is only used for internal DNS queries? The external DNS lookups should always be forwarded to the upstream DNS server.

Is there a policy or a config for this that can be used to get the problem under control?

thockin · June 16, 2020, 3:48pm

This is an unfortunate side-effect of aggressive use of search paths. There are 3 main options I see

Don’t create a “com” namespace or allow your users to do so.
Disable search paths via DNSPolicy = “None” + DNSConfig
Always use fully qualified names, including a trailing period, which pypasses any search expansion

Topic		Replies	Views
Kubernetes @ bareMetal: how to deal with DNS? General Discussions	5	4527	February 18, 2020
Support exsiting CoreDNS? General Discussions	1	362	April 1, 2021
Join K8s subdomain infrastructure with existing DNS General Discussions	1	677	January 1, 2020
Kubernetes cluster coredns problem General Discussions network	0	397	May 29, 2024
DNS for discovery of NodePort services from outside the cluster General Discussions	2	4140	August 7, 2018

DNS Spoofing Attacks inside a Cluster

Related topics