amazon-vpc-cni-k8s: Intermittent DNS timeouts in a pod

🤯

We plan to address the limitations on TCP DNS queries for Nitro instances, but do not have an ETA for the fix yet.

This should be very clearly documented somewhere.

@mogren, if that’s the case, then you might want to also update some documentation. Currently EKS docs refer to Kubernetes docs, which suggest configuring force_tcp for the node-local DNS cache.

Had the same problem, reached out to aws they confirmed it and said they have no eta for the fix. Just thought i would update the thread with the info incase someone else had the problem

this is what they suggested

 Workaround:

1. Linux users should ensure 'options use-vc’ does not appear in the /etc/resolv.conf
2. Users of CoreDNS should ensure that the option ‘force_tcp’ is not enabled.
3. Customers should make the size of the DNS responses is less than 4096 bytes to ensure it fits in UDP packets.

Hi @Eslamanwar! We have recently found out that using TCP for DNS lookups can cause issues. Do you mind checking that options use-vc is not set in the /etc/resolv.conf and that force_tcp is not set for CoreDNS. Also, it’s best to make sure that the size of the DNS responses is less than 4096 bytes, to ensure it fits in the UDP packets.

I also have a response from AWS Support team on my case:

We have identified that you were using TCP DNS connections to the VPC Resolver. We have identified the root cause as limitations in the current TCP DNS handling on EC2 Nitro Instances. The software which forwards DNS requests to our fleet for resolution is limited to 2 simultaneous TCP connections and blocks on TCP queries for each connection. Volume exceeding 2 simultaneous requests will result in increased latency. It is our recommendation that you prefer UDP DNS lookups to prevent an increase in latency. This should provide an optimal path for DNS requests that are less than 4096 bytes, and minimize the TCP latency to DNS names which exceed 4096 bytes. We plan to address the limitations on TCP DNS queries for Nitro instances, but do not have an ETA for the fix yet.

Hello, any solution for that? We have terrible issues in production because of it

We were having the same issue here https://github.com/kubernetes/dns/issues/387 I’ve removed force_tcp flag from forwarder config in node-localdns but I definetly still see TCP requests and responses to the upstream AWS VPC resolver, and response times are not good - 4,2 and 1 seconds for about 1% of requests, however when I set prefer_udp I see only UDP requests and responses and response times are all good. We use k8s.gcr.io/k8s-dns-node-cache:1.15.12 image.

This just bit us. Any update on a fix? At least documenting this would be helpful.

We were facing the same issue in our clusters. We were using node-local-dns and in ints configuration, we had the force_tcp flag. We were getting lots of timeouts that way. After removing the flag, the timeouts went away.

Seems like it might not be the best idea to upgrade to >1.5.1 when running eks 1.14 https://github.com/aws/containers-roadmap/issues/489

in addition to those performance issues, the proxy plugin is deprecated in future releases of coredns so upgrading from 1.3.1 to 1.5.2 in existing clusters using the same configmap won’t be successful.

Could be related to https://github.com/coredns/coredns/pull/2769 if you’re using CoreDNS. Upgrading to >1.5.1 should fix the issue if that’s the issue you’re facing.

You can further verify that that’s the issue if curl raw.githubusercontent.com fails intermittently, but curl --ipv4 raw.githubusercontent.com never does.