We are using CoreDNS as a sidecar in our service mesh. CoreDNS is listening on port 15053. Both the application and CoreDNS are docker containers running inside an AWS ECS task using awsvpc mode. To direct all DNS requests from the application to CoreDNS, I am using below mentioned IPTable rules. However, I have been encountering intermittent DNS resolution failures with certain applications.
I am using following IPTable rules:
-A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner 65534 -j RETURN
-A OUTPUT -p udp -m udp --dport 53 -m owner --gid-owner 65534 -j RETURN
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 15053
-A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 15053
I checked CPU, Memory of both containers and instance, those are below 30%. I have also verified that CoreDNS is running and reachable. I also checked the presence of DNS records by directly querying to CoreDNS via dig. These errors occur sporadically, approximately once in every thousand requests.
I enabled CoreDNS logs and it appears that the requests are not reaching CoreDNS, suggesting a potential issue with IPTables. I have enabled IPTables logging but could not find any errors or drop packets in the logs. I also verified conntrack, open file limits etc. Unfortunately, I am unable to determine the specific ulimits that may be causing these intermittent errors.
