WEBVTT 00:00.000 --> 00:16.000 All right, next time we have Nadia talking about highly available at blocking private 00:16.000 --> 00:18.000 DNS setup in Kubernetes. 00:18.000 --> 00:22.000 But I've been told you do not need to know Kubernetes to have fun in this talk. 00:22.000 --> 00:23.000 Exactly. 00:23.000 --> 00:24.000 All right. 00:24.000 --> 00:25.000 Good luck. 00:25.000 --> 00:30.000 Okay. 00:30.000 --> 00:31.000 Hello, everybody. 00:31.000 --> 00:33.000 Welcome to this talk. 00:33.000 --> 00:35.000 It's this on. 00:35.000 --> 00:38.000 It's this okay. 00:38.000 --> 00:39.000 Okay. 00:39.000 --> 00:40.000 Better now. 00:40.000 --> 00:42.000 Good. 00:42.000 --> 00:43.000 Still okay now. 00:43.000 --> 00:45.000 I don't want to look down. 00:45.000 --> 00:46.000 Good. 00:46.000 --> 00:47.000 So welcome. 00:47.000 --> 00:49.000 Welcome again to this talk. 00:49.000 --> 00:54.000 If I have said, I say, Captain made Peter said that this is like a very very long title. 00:54.000 --> 01:00.000 Uh, explicitly engineered to catch your attention, like if I were to talk about this with friends, 01:00.000 --> 01:04.000 I would rather call this like a cool over engineered DNS setup. 01:04.000 --> 01:09.000 So I think that's that's like a more faithful representation of reality. 01:09.000 --> 01:10.000 Cool. 01:10.000 --> 01:12.000 So as again, my name is Nadia. 01:12.000 --> 01:16.000 You have my contact team for in my website in the in the footer in there. 01:16.000 --> 01:18.000 So let's get into the into the agenda. 01:18.000 --> 01:20.000 So we have a lot of things to talk today. 01:20.000 --> 01:22.000 I have not rehearsed this. 01:22.000 --> 01:24.000 I have no idea if I will have time for demos. 01:24.000 --> 01:26.000 I will do my best. 01:26.000 --> 01:28.000 But in an nutshell, first of all, 01:28.000 --> 01:32.000 you may have noticed that there is some sort of elephant in this room after you have seen the title. 01:32.000 --> 01:34.000 So we will address that. 01:34.000 --> 01:38.000 Then I will present you my wish list for the DNS setup. 01:38.000 --> 01:40.000 And we will talk about that. 01:40.000 --> 01:44.000 Then I will briefly comment a talk about Kubernetes have it again. 01:44.000 --> 01:50.000 No prior experience needed, but I will comment why Kubernetes and how does Kubernetes help with this. 01:50.000 --> 01:54.000 And then we will get into the DNS god details. 01:54.000 --> 01:58.000 We will talk about how we do the SAP with DNS mask. 01:58.000 --> 02:01.000 There is a connection here between the SAP and DNS trust me. 02:01.000 --> 02:06.000 And then we will talk about more DNS stuff like what's my upstream server, 02:06.000 --> 02:09.000 which is the in a script proxy about the status DNS, 02:09.000 --> 02:12.000 which does cool stuff with DNS and Kubernetes. 02:12.000 --> 02:17.000 And then more how we are going to tie everything together with DNS mask. 02:17.000 --> 02:21.000 Okay, so first of all, the elephant in this room. 02:21.000 --> 02:23.000 Is this talk about Python? 02:23.000 --> 02:25.000 No, it is not. 02:25.000 --> 02:27.000 Why didn't you use Python? 02:27.000 --> 02:29.000 Will be like the second in the front in this room. 02:29.000 --> 02:31.000 Well, because I didn't want to. 02:31.000 --> 02:33.000 I mean, Python is great software. 02:33.000 --> 02:35.000 If you are happy with Python, that's amazing. 02:35.000 --> 02:37.000 It's Python is amazing. 02:37.000 --> 02:41.000 If you have a use case that the Python solves, then go ahead. 02:41.000 --> 02:43.000 That's great. 02:43.000 --> 02:46.000 I chose to go the hardware because I think it's more fun. 02:46.000 --> 02:50.000 And because I think you learn stuff doing that. 02:50.000 --> 02:56.000 And you can also do some things that are harder to do with out of the box solutions. 02:56.000 --> 02:58.000 So we won't talk about Python anymore. 02:58.000 --> 03:00.000 Whoops, not black, forward. 03:00.000 --> 03:02.000 Okay, we used this. 03:02.000 --> 03:08.000 So when I was like tried to come together with this DNS setup for my network, 03:08.000 --> 03:14.000 I was thinking, what kind of a stuff do I want to have in this network, right? 03:14.000 --> 03:20.000 So first one, and not sure if it was important, but certainly a quite important requirement is to block ads. 03:20.000 --> 03:22.000 Why? 03:22.000 --> 03:24.000 Because they are they are exploitative. 03:24.000 --> 03:25.000 They are bad for you. 03:25.000 --> 03:28.000 They are bad for your mental health, and they are a malware vector. 03:28.000 --> 03:30.000 So let's get rid of those. 03:30.000 --> 03:32.000 Second thing, it has to be fast. 03:32.000 --> 03:34.000 Like time to resolve. 03:34.000 --> 03:40.000 That's what I meant by TTR here is like a huge factor in perceived speed. 03:40.000 --> 03:42.000 You open up a browser, you go to a URL. 03:42.000 --> 03:44.000 First thing you need to do, resolve a name. 03:44.000 --> 03:48.000 Maybe one, if you are lucky, maybe ten, if you are not so lucky. 03:48.000 --> 03:58.000 So the time it takes to resolve that is like a, again, a major factor in how the speed of your network is perceived by users. 03:58.000 --> 04:00.000 Third thing, it has to be private. 04:00.000 --> 04:04.000 If you use your, usually use your ASP DNS, 04:04.000 --> 04:08.000 like the DNS, that cheap with your ASP router. 04:08.000 --> 04:10.000 These are like dubious or best. 04:10.000 --> 04:14.000 Hopefully they are fast, not guaranteed, but they are definitely not private. 04:14.000 --> 04:20.000 And some of them do not have far use of stuff with domain names that do not exist. 04:20.000 --> 04:22.000 These are bad. 04:22.000 --> 04:24.000 Okay, so what if I point to 888? 04:24.000 --> 04:28.000 Well, I mean, I will point to 888 in particular. 04:28.000 --> 04:32.000 But doing this and encrypt this, I will send dubious. 04:32.000 --> 04:38.000 I don't feel comfortable addressing an encrypted traffic through my network. 04:38.000 --> 04:40.000 That can be trivial amounted by anyone. 04:40.000 --> 04:42.000 I don't know if my ASP is doing this. 04:42.000 --> 04:46.000 I hope it isn't, but I don't want to try it. 04:46.000 --> 04:50.000 Okay, more things, be flexible. 04:50.000 --> 04:54.000 So that's kind of a, kind of a given, but they want to be able to maybe unblock this name. 04:54.000 --> 04:58.000 That is in a block list somewhere, but I do want to use it. 04:58.000 --> 05:01.000 I want to be able to integrate with the ASP because that's like quite nice. 05:01.000 --> 05:05.000 You can jump ping a horse name and that's just works. 05:05.000 --> 05:07.000 And I want it to integrate maybe with all the name servers. 05:07.000 --> 05:09.000 We will see how that works. 05:09.000 --> 05:12.000 Like maybe a cafe specific name server for a niche application. 05:12.000 --> 05:15.000 So the flexibility is like kind of kind of important. 05:15.000 --> 05:21.000 And maybe the most important thing on this, on my requirement list, is to be reliable. 05:21.000 --> 05:24.000 If your home DNA is now, there is no internet. 05:24.000 --> 05:26.000 People with geology. 05:26.000 --> 05:28.000 People who live with you will geology. 05:28.000 --> 05:30.000 Hey, internet is now. 05:31.000 --> 05:33.000 Did you mess up with DNA as again? 05:33.000 --> 05:34.000 Yeah. 05:34.000 --> 05:38.000 I used to get these questions quite a lot. 05:38.000 --> 05:39.000 Like one-to-month. 05:39.000 --> 05:42.000 Since I deployed this thing, zero. 05:42.000 --> 05:43.000 Not a single time. 05:43.000 --> 05:45.000 And I am very proud of this. 05:45.000 --> 05:46.000 Not a single time. 05:46.000 --> 05:48.000 Any people living in my house have told me. 05:48.000 --> 05:49.000 Did you mess up with DNA as again? 05:49.000 --> 05:50.000 It just works. 05:50.000 --> 05:55.000 And I can update and restart and do stuff and everything just works. 05:55.000 --> 05:56.000 That is amazing. 05:56.000 --> 05:59.000 And that is something that Kubernetes really helps with. 05:59.000 --> 06:00.000 Okay. 06:00.000 --> 06:01.000 Oh, infrared. 06:01.000 --> 06:02.000 Let's go. 06:02.000 --> 06:03.000 Spoiler. 06:03.000 --> 06:04.000 Don't look at this very much. 06:04.000 --> 06:05.000 We will look at it again. 06:05.000 --> 06:07.000 But you may see that there are Kubernetes pods. 06:07.000 --> 06:08.000 There are nodes. 06:08.000 --> 06:09.000 There is coordinates. 06:09.000 --> 06:10.000 We are not talking about coordinates. 06:10.000 --> 06:11.000 So you can ignore it. 06:11.000 --> 06:14.000 There is other devices that is devices that are outside the Kubernetes network. 06:14.000 --> 06:15.000 There is DNS mask. 06:15.000 --> 06:16.000 Lots of stuff. 06:16.000 --> 06:18.000 Don't look at this too much. 06:18.000 --> 06:20.000 We will go to that later. 06:20.000 --> 06:21.000 Okay. 06:21.000 --> 06:25.000 So let's get into the Kubernetes stuff. 06:25.000 --> 06:26.000 Why Kubernetes? 06:26.000 --> 06:31.000 Why would you run your DNA setup inside Kubernetes? 06:31.000 --> 06:35.000 Because Kubernetes is quite nice for a lot of stuff. 06:35.000 --> 06:37.000 And I can't believe it here. 06:37.000 --> 06:42.000 If I can't go in order to say that Kubernetes makes failover and high availability. 06:42.000 --> 06:44.000 That's what I mean by H.I. 06:44.000 --> 06:45.000 For free. 06:45.000 --> 06:46.000 Mostly. 06:46.000 --> 06:47.000 For free. 06:47.000 --> 06:49.000 It means in cognitive load. 06:49.000 --> 06:51.000 Not in terms of cache. 06:51.000 --> 06:54.000 So that means that you can upgrade your DNA server. 06:54.000 --> 06:55.000 Which you should be doing. 06:55.000 --> 06:58.000 That you can make changes to your infrastructure. 06:58.000 --> 07:01.000 And nobody will gel at you for messing up with DNS. 07:01.000 --> 07:04.000 So that's kind of kind of cool. 07:04.000 --> 07:07.000 And again, it works for both containers and nodes. 07:07.000 --> 07:10.000 So that means that you can take the DNS. 07:10.000 --> 07:12.000 The containers are being DNS down. 07:12.000 --> 07:13.000 Or the whole node. 07:13.000 --> 07:14.000 Serving. 07:14.000 --> 07:16.000 Hosting the container that serves the DNS down. 07:16.000 --> 07:18.000 And nobody should notice. 07:18.000 --> 07:21.000 The second thing that I really like is GitHub's free. 07:21.000 --> 07:25.000 If you are not in the cloud native Kubernetes scene. 07:25.000 --> 07:28.000 GitHub means that you put your stuff in Git. 07:28.000 --> 07:32.000 And you have something that makes what is in Git a reality. 07:32.000 --> 07:36.000 So this means that the config files for your services. 07:36.000 --> 07:38.000 In this case for the DNS services. 07:38.000 --> 07:40.000 How they interconnect. 07:40.000 --> 07:41.000 How they relate to each other. 07:41.000 --> 07:44.000 That will be versioned as text in Git. 07:44.000 --> 07:45.000 That is amazing. 07:45.000 --> 07:46.000 That is prizes. 07:46.000 --> 07:48.000 Like, do you make a mistake? 07:48.000 --> 07:49.000 Oh. 07:50.000 --> 07:52.000 I will think about the mistake later. 07:52.000 --> 07:55.000 But DNS will be up like very soon. 07:55.000 --> 07:59.000 That means that it is kind of self-documenting also. 07:59.000 --> 08:03.000 So if you forget and if you make a setup like over in general like this, 08:03.000 --> 08:04.000 you will forget. 08:04.000 --> 08:05.000 At least I have forgotten. 08:05.000 --> 08:07.000 Then you just go to the Git repo. 08:07.000 --> 08:08.000 You see the config files. 08:08.000 --> 08:09.000 They put each other. 08:09.000 --> 08:10.000 It is so nice. 08:10.000 --> 08:11.000 It's observability. 08:11.000 --> 08:16.000 That's what the only of the pronouns stands for. 08:16.000 --> 08:19.000 And you can like Kubernetes is very friendly. 08:19.000 --> 08:22.000 You just drop an annotation here and export it in there. 08:22.000 --> 08:24.000 And you have metrics. 08:24.000 --> 08:26.000 And most importantly, it was already there. 08:26.000 --> 08:31.000 Like, to answer every time I talk about doing something with Kubernetes, 08:31.000 --> 08:35.000 people ask me, should I set up Kubernetes for this? 08:35.000 --> 08:36.000 No. 08:36.000 --> 08:37.000 You should not. 08:37.000 --> 08:41.000 It is too much effort to set up a whole Kubernetes cluster for one thing. 08:41.000 --> 08:44.000 But if you have many things. 08:44.000 --> 08:46.000 Like maybe too much for one. 08:46.000 --> 08:47.000 Maybe too much for two. 08:47.000 --> 08:48.000 For three. 08:48.000 --> 08:49.000 Still too much. 08:49.000 --> 08:51.000 You have ten things. 08:51.000 --> 08:53.000 I would recommend you to start thinking about it. 08:53.000 --> 08:55.000 Because then you will start having everything in it. 08:55.000 --> 08:57.000 Everything managed the same way. 08:57.000 --> 09:00.000 So if it is already there, why not use it? 09:00.000 --> 09:01.000 Okay. 09:01.000 --> 09:04.000 How does Kubernetes help us in the technical goal of detail? 09:04.000 --> 09:07.000 So there is this thing called Metal LV, which I really love. 09:07.000 --> 09:09.000 This is like an amazing project. 09:09.000 --> 09:13.000 It's like, I mean, 25% of what may Kubernetes great for me is this thing. 09:13.000 --> 09:16.000 Metal LV is layer 3 failover. 09:16.000 --> 09:21.000 And that's what is going to be unlocking our reliability here. 09:21.000 --> 09:23.000 And also highly, highly availability. 09:23.000 --> 09:24.000 How does it work? 09:24.000 --> 09:27.000 Metal LV is some sort of ARP proxy. 09:27.000 --> 09:30.000 ARP is like DNS for IP addresses. 09:30.000 --> 09:32.000 If that makes sense. 09:32.000 --> 09:36.000 So what this does is that when the client ask our DNS server, 09:36.000 --> 09:39.000 which we configured to be in other S1015, 09:39.000 --> 09:43.000 which computer, which MAC address is 1015, 09:43.000 --> 09:47.000 the nodes that have DNS pods will gossip between each other. 09:47.000 --> 09:53.000 And some sort of agree on which is going to be 1015 for the next period of time. 09:53.000 --> 09:57.000 So one of them will say, hey, I am 1015 for sure. 09:57.000 --> 10:00.000 So then the client will say, okay, can you resolve this name for me? 10:00.000 --> 10:04.000 And the node with the pod that has a DNS server will say, hey, deal you up. 10:04.000 --> 10:08.000 If this node goes away, if this pod goes away from the node, 10:08.000 --> 10:10.000 then metal LV will notice. 10:10.000 --> 10:14.000 And the next time somebody asks for 1015, it will be a different node, 10:14.000 --> 10:15.000 answering. 10:15.000 --> 10:18.000 So that's how you get this failover and highly availability. 10:18.000 --> 10:22.000 And this is how you upgrade the machine without breaking DNS for everybody, 10:22.000 --> 10:25.000 which is quite amazing. 10:25.000 --> 10:28.000 Okay, more stuff. 10:28.000 --> 10:31.000 I could pause and do some demos here and there, 10:31.000 --> 10:34.000 but I'm not sure how well we'll be doing with time. 10:34.000 --> 10:38.000 So if there is time, I will do the, we can play with the terminal in the end. 10:38.000 --> 10:41.000 Let's talk about something else for now. 10:41.000 --> 10:45.000 So we got this, we got metal LV to be in the high level, 10:45.000 --> 10:47.000 the high level availability and phylogosida for us. 10:47.000 --> 10:49.000 So what about DSCP? 10:49.000 --> 10:53.000 So DSCP and DNS are some sort of related, 10:53.000 --> 10:54.000 if you want them to. 10:54.000 --> 11:00.000 The cool thing about, about relating them is that then, 11:00.000 --> 11:03.000 when a host connects to an algorithm, say, hey, 11:03.000 --> 11:06.000 I am, I don't know, TC1, whatever. 11:06.000 --> 11:08.000 Then the DSCP server can remember that. 11:08.000 --> 11:12.000 And then when you ask the DSCP server, if it also is post DNS, 11:12.000 --> 11:14.000 okay, who is TC1? 11:14.000 --> 11:16.000 The DSCP server will remember, say, hey, 11:16.000 --> 11:19.000 TC1 is on this dynamically, like, 11:19.000 --> 11:23.000 in this address from the DSCP pool, which I gave, TC1. 11:23.000 --> 11:25.000 So that's, that's kind of nice. 11:25.000 --> 11:30.000 And DNS mask, which we will be talking extensively about today, 11:30.000 --> 11:31.000 that's, that's this for you. 11:31.000 --> 11:33.000 And I thought, okay, why not? 11:33.000 --> 11:36.000 I need a DSCP server, and I already know DNS mask. 11:36.000 --> 11:39.000 So it also does DNS for me, why not? 11:39.000 --> 11:42.000 There are some papercats, I'm not doing that good on time, 11:42.000 --> 11:44.000 so, well, that's a matter. 11:44.000 --> 11:49.000 DNScript proxy is my third tool in this tool belt. 11:49.000 --> 11:51.000 I think it is, it is very nice software. 11:51.000 --> 11:54.000 DNS, privacy, DNScript proxy is going to solve 11:54.000 --> 11:59.000 our privacy concerns, our conflicting relationship 11:59.000 --> 12:02.000 with our, with our, with our ISP. 12:02.000 --> 12:05.000 DNScript proxy presents itself as a DNS server, 12:05.000 --> 12:08.000 so you can ask DNS questions to it for 53, 12:08.000 --> 12:09.000 very normal. 12:09.000 --> 12:11.000 It can be in result count. 12:11.000 --> 12:13.000 No, nothing client specific is needed 12:13.000 --> 12:16.000 and, unlike, for example, DOH. 12:16.000 --> 12:18.000 DNS server is the PS. 12:18.000 --> 12:22.000 But on the other side of that, of that, for 53 facade, 12:22.000 --> 12:26.000 is going to be quite complex machinery 12:26.000 --> 12:31.000 that fetches a list of well-known groups. 12:31.000 --> 12:34.000 That fetches a list of well-known resolvers 12:34.000 --> 12:37.000 that do use DNScript and will proxy stuff. 12:37.000 --> 12:38.000 We'll proxy your queries to them. 12:38.000 --> 12:39.000 And it is quite a smart. 12:39.000 --> 12:41.000 It will try many of them. 12:41.000 --> 12:43.000 It will sort them by latency, 12:43.000 --> 12:48.000 and it will favor the ones that are like, like closer to you. 12:48.000 --> 12:50.000 So it is in our self-balancing. 12:50.000 --> 12:54.000 This list of upstream resolvers is also self-refression. 12:54.000 --> 12:56.000 This goes to the in GitHub. 12:56.000 --> 12:59.000 It is signed with a known public key by the, 12:59.000 --> 13:02.000 by the author, so it is quite nice. 13:02.000 --> 13:06.000 This is like a good strong contributor to DNS being fast 13:06.000 --> 13:10.000 and definitely the key thing that makes it secure. 13:10.000 --> 13:14.000 It also does DNS server is the PS, by the way, in this list. 13:14.000 --> 13:17.000 I'm actually unsure if that ends up in the real world being faster 13:17.000 --> 13:18.000 than the in a script. 13:18.000 --> 13:19.000 I have no idea. 13:19.000 --> 13:23.000 But for our purposes, as a client does not matter. 13:23.000 --> 13:26.000 As long as it is simply. 13:26.000 --> 13:27.000 Okay. 13:27.000 --> 13:28.000 Final tool in our tool belt. 13:28.000 --> 13:31.000 When I when I mention in my wish list that I wanted this to be 13:31.000 --> 13:36.000 flexible and to connect to other servers, 13:36.000 --> 13:38.000 you know, I have a Kubernetes cluster. 13:38.000 --> 13:41.000 And in that Kubernetes clusters, there are some services 13:41.000 --> 13:43.000 that I want to be able to reach from the outside. 13:43.000 --> 13:45.000 As it usually happens. 13:45.000 --> 13:46.000 Right? 13:46.000 --> 13:49.000 Those services in that Kubernetes cluster have host names, 13:49.000 --> 13:51.000 and it will be quite nice. 13:52.000 --> 13:57.000 For me, to not have to replicate the host names that are on my Kubernetes cluster, 13:57.000 --> 14:00.000 tool at the inner server that is outside by hand. 14:00.000 --> 14:01.000 Right? 14:01.000 --> 14:04.000 So there is this project, which I co-author called state, 14:04.000 --> 14:06.000 there is a nest missing here. 14:06.000 --> 14:09.000 Stateless DNS, which is like a hand chart. 14:09.000 --> 14:11.000 If you know Kubernetes, you know what this is. 14:11.000 --> 14:12.000 If you don't know, that's a matter. 14:12.000 --> 14:15.000 It's like a package that bundles these two things together. 14:15.000 --> 14:19.000 External DNS is a tool that will connect to your Kubernetes cluster. 14:19.000 --> 14:24.000 No, look what host names your Kubernetes cluster is exposing, 14:24.000 --> 14:27.000 and then will register those somewhere else. 14:27.000 --> 14:29.000 This somewhere else is power DNS. 14:29.000 --> 14:33.000 So you can have in this package power DNS is included as a small, 14:33.000 --> 14:36.000 you know, sidecar, like it is, it isn't that. 14:36.000 --> 14:40.000 And it configures both things so that external DNS looks at your Kubernetes cluster 14:40.000 --> 14:43.000 say, okay, the host names that they need to expose as this, this, 14:43.000 --> 14:46.000 and this register stands in power in power DNS, right? 14:46.000 --> 14:51.000 So then this power DNS inside your cluster automatically is able to resolve the host names, 14:51.000 --> 14:55.000 that your cluster exposes to the outside, which is, which is pretty nice. 14:55.000 --> 14:57.000 And then we will tie this together. 14:57.000 --> 15:00.000 This is like, if you want to, if you want to look this up, 15:00.000 --> 15:05.000 this is the GitHub repo where this package, this, this hand chart exists. 15:05.000 --> 15:09.000 Don't, don't ask about the name of the office and inside your, 15:09.000 --> 15:11.000 dot, dot, dot, dot. 15:11.000 --> 15:15.000 Cool, recap, pause, where are we? 15:15.000 --> 15:19.000 So we have, metal dig, we talk about it in the, in the, in the beginning. 15:19.000 --> 15:23.000 It's going to make our whole thing highly available, not picture here. 15:23.000 --> 15:29.000 We got external DNS, which is, by a, a style of DNS as we just talk. 15:29.000 --> 15:33.000 We got DNS script proxy, which is our upstream, and here there are many boxes, 15:33.000 --> 15:37.000 because we're going to want to have like more than one of these. 15:37.000 --> 15:41.000 And we also have DNS mask, DHCP, which is our DHCP server, 15:41.000 --> 15:44.000 and it's also serving names for our, for our local network, right? 15:44.000 --> 15:49.000 So now we should kind of, these are like three very independent names, 15:49.000 --> 15:51.000 service that don't know about each other. 15:51.000 --> 15:55.000 So we should kind of mask them together, right? 15:55.000 --> 15:58.000 How are we going to do this with DNS mask again? 15:58.000 --> 16:00.000 Because, you know, it's, it's so nice. 16:00.000 --> 16:01.000 I love the, so much, so much. 16:01.000 --> 16:04.000 So DNS mask, you probably know about this. 16:04.000 --> 16:06.000 It has been around for quite a while. 16:06.000 --> 16:11.000 I, I remember in my, my unidays, I will pride myself about knowing 16:11.000 --> 16:13.000 the man page of this thing by heart. 16:13.000 --> 16:15.000 It is no longer the case. 16:15.000 --> 16:18.000 I don't think it was ever the case, but never the less. 16:18.000 --> 16:20.000 This thing is, it's, it's like so nice. 16:20.000 --> 16:24.000 It is so flexible, it is so efficient, and it can do so many things. 16:24.000 --> 16:27.000 All of them reasonably well, which is, which is where. 16:27.000 --> 16:29.000 So how does this work? 16:29.000 --> 16:33.000 DNS mask will be configured to route our queries, to, got it, 16:33.000 --> 16:36.000 to the different, to a different name service, right? 16:37.000 --> 16:41.000 We'll see, we'll see how we do that in, in the next slide. 16:41.000 --> 16:44.000 It can also be, be fed denialist. 16:44.000 --> 16:48.000 That's, that's how we're going to do our, our blocking of bath hosts. 16:48.000 --> 16:52.000 And then, yeah, again, it can load balance, and it can cache the query. 16:52.000 --> 16:55.000 So that's, that's, also, we'll also continue to, towards pithing. 16:55.000 --> 16:56.000 Okay. 16:56.000 --> 16:58.000 How does this look? 16:58.000 --> 17:01.000 The intimidating is like, okay. 17:01.000 --> 17:04.000 So, the, glossy over this, this part here, 17:04.000 --> 17:09.000 well, this is like, don't propagate cluster names outside of the cluster. 17:09.000 --> 17:11.000 Cluster will be using DNS mask as well. 17:11.000 --> 17:14.000 So, this, this should not go outside, this is a local. 17:14.000 --> 17:16.000 This is our routing thing. 17:16.000 --> 17:19.000 And the car here is like the name of my local network. 17:19.000 --> 17:21.000 So, everything that is like, in the car, 17:21.000 --> 17:23.000 the LED goes to the DSIP server. 17:23.000 --> 17:26.000 Everything that is in the terabox.mo, the main, 17:26.000 --> 17:30.000 that's like the domain, the main domain, that services in my clusters use. 17:30.000 --> 17:33.000 Those external services, we're managed, we'll install DNS. 17:33.000 --> 17:35.000 Those go to 10, 14. 17:35.000 --> 17:38.000 This is like the state-led DNS server. 17:38.000 --> 17:40.000 Those are, by the way, matter will be addresses. 17:40.000 --> 17:42.000 So, these are like load balance. 17:42.000 --> 17:44.000 Who knows what this is? 17:44.000 --> 17:45.000 Pop quiz. 17:45.000 --> 17:48.000 Use application DNS.net, show hands. 17:48.000 --> 17:50.000 Who knows what this is? 17:50.000 --> 17:51.000 Nobody. 17:51.000 --> 17:54.000 One person, two, okay, three, four, okay, amazing. 17:54.000 --> 17:56.000 So, this is like a can of the main, 17:56.000 --> 17:59.000 that modzilla made up to the best of analytics. 17:59.000 --> 18:02.000 If your network rejects this domain, 18:02.000 --> 18:06.000 then Firefox will not default to DNS over HTTPS. 18:06.000 --> 18:07.000 This is quite nice. 18:07.000 --> 18:10.000 Like, if you have an over-engineer DNS network, 18:10.000 --> 18:13.000 you want your clients to use your over-engineer DNS network, right? 18:13.000 --> 18:15.000 It will be a pity to do this world for nothing. 18:15.000 --> 18:17.000 So, if you black hole this domain, 18:17.000 --> 18:20.000 then Firefox will not default to DNS over HTTPS, 18:20.000 --> 18:22.000 which is quite nice. 18:22.000 --> 18:25.000 I don't know how I came across this thing, but I'm glad to be. 18:25.000 --> 18:28.000 Okay, this is like our DNS script, 18:28.000 --> 18:31.000 proxy service, our upstream, we want DNS maps to use it. 18:31.000 --> 18:33.000 If it is not up, 18:33.000 --> 18:35.000 a couple of reasons, it may be not up, 18:35.000 --> 18:37.000 then I fall back to $2.9, 18:37.000 --> 18:39.000 and we do it in a strict order. 18:39.000 --> 18:43.000 This is another quite nice thing of DNS mask. 18:43.000 --> 18:47.000 The DNS mask, by default, doesn't do retrace on its own. 18:47.000 --> 18:48.000 It relies on clients. 18:48.000 --> 18:50.000 So, you may tough experience this, 18:50.000 --> 18:53.000 where you query the DNS server, it times out, 18:53.000 --> 18:57.000 and it takes like five seconds for the client to try again. 18:57.000 --> 18:59.000 That's awful, I don't want that. 18:59.000 --> 19:02.000 So, I tell DNS mask, KB, slightly unpolite, 19:02.000 --> 19:04.000 and retrace on your own. 19:04.000 --> 19:07.000 We are load balancing this across so many servers, 19:07.000 --> 19:09.000 so hopefully operators won't hate me for this. 19:09.000 --> 19:12.000 And then we know how some cashing and whatnot, 19:12.000 --> 19:16.000 and then we include our bad blocks, 19:16.000 --> 19:18.000 our bad hostlies. 19:18.000 --> 19:22.000 Okay, so there is something missing in this complex file. 19:22.000 --> 19:25.000 I'm not, I'm not challenging, well, before that. 19:25.000 --> 19:27.000 How do we do the ad blocket thing? 19:27.000 --> 19:31.000 So, can the DNS mask, is this built-in into the DNS mask? 19:31.000 --> 19:34.000 No, it is not, but it doesn't have to be, 19:34.000 --> 19:36.000 because the best configuration language is bash. 19:36.000 --> 19:39.000 So, yes. 19:39.000 --> 19:41.000 Exactly. 19:41.000 --> 19:45.000 So, it doesn't matter if the DNS mask does not support this. 19:45.000 --> 19:47.000 We can coerce it to do it. 19:47.000 --> 19:49.000 So, I have this tiny vasescape here, 19:49.000 --> 19:52.000 like it's a four, five liner, five liner, 19:52.000 --> 19:56.000 that will fetch like my, this well-known, 19:56.000 --> 19:58.000 there are many of these things online. 19:58.000 --> 19:59.000 This is just one. 19:59.000 --> 20:01.000 And it will like, okay, right, this to a file, 20:01.000 --> 20:03.000 and then tell DNS mask to reload it, 20:03.000 --> 20:05.000 and then if you succeed it, wait for eight hours, 20:05.000 --> 20:07.000 because there is probably no need to refresh that list, 20:07.000 --> 20:09.000 more often than that. 20:09.000 --> 20:10.000 So, there is that. 20:10.000 --> 20:13.000 I mean, it's, it's cool to be able to do stuff like this. 20:13.000 --> 20:15.000 Okay, so in that conflict file, 20:15.000 --> 20:17.000 there was something missing. 20:17.000 --> 20:20.000 It's, if you, you're scuba and enter surveyed. 20:20.000 --> 20:23.000 You may know that you have a Kubernetes pod. 20:23.000 --> 20:26.000 How does a Kubernetes pod resolve names? 20:26.000 --> 20:28.000 Well, it has a resolve confine, right? 20:28.000 --> 20:30.000 Where is that resolve confine coming from? 20:30.000 --> 20:33.000 Well, it comes from the host, right? 20:33.000 --> 20:36.000 But we want the host to use a Kubernetes pod 20:36.000 --> 20:39.000 to resolve hosts, right? 20:39.000 --> 20:44.000 So, if we, if we do not tell DNS mask to not look at this file, 20:44.000 --> 20:47.000 DNS mask will try to recourse to itself, 20:47.000 --> 20:49.000 which is not very nice. 20:49.000 --> 20:51.000 And it will be a very different IP address. 20:51.000 --> 20:54.000 So, DNS mask is has no chance to notice this is happening. 20:54.000 --> 20:57.000 And the, fun things will happen. 20:57.000 --> 21:00.000 So, in, in that conflict file, you have to use no resolve. 21:00.000 --> 21:04.000 So, DNS mask doesn't load resolve conf, automatically. 21:04.000 --> 21:06.000 Fun stuff. 21:06.000 --> 21:09.000 Okay, so this is our full picture again. 21:09.000 --> 21:10.000 Where, where, we? 21:10.000 --> 21:11.000 We have Kubernetes pod. 21:11.000 --> 21:12.000 We'll use coordinates. 21:12.000 --> 21:13.000 We don't care about this. 21:13.000 --> 21:15.000 Coordinators will use DNS mask to DNS. 21:15.000 --> 21:17.000 This is like a load balancing, 21:17.000 --> 21:19.000 caching, not blocking thingy. 21:19.000 --> 21:21.000 Many pods, highly available, tend to, 21:21.000 --> 21:22.000 tend to, as well as be. 21:22.000 --> 21:24.000 Otherwise, we'll also use this. 21:24.000 --> 21:26.000 We prevent recursion of, of hell, 21:26.000 --> 21:28.000 with, with this magic, no resolve flag. 21:28.000 --> 21:31.000 We also have other devices outside of the network. 21:31.000 --> 21:33.000 Since this is provided by, 21:33.000 --> 21:35.000 the, this IP address is reachable from the world. 21:35.000 --> 21:37.000 Well, outside of communities. 21:37.000 --> 21:39.000 When you may argue with us the world. 21:39.000 --> 21:42.000 And, so, all, other devices in the network will use this. 21:42.000 --> 21:45.000 And DNS mask is configured to route things to, 21:45.000 --> 21:47.000 to different places, right? 21:47.000 --> 21:49.000 So, hopefully that, 21:49.000 --> 21:51.000 we'll make sense and we'll, 21:51.000 --> 21:53.000 you make of, 21:53.000 --> 21:54.000 see how we have full fill, 21:54.000 --> 21:57.000 stuff in our, in our, in our wish list. 21:57.000 --> 22:00.000 Now, there is one thing, another elephant in the room, 22:00.000 --> 22:02.000 so to speak, which is, 22:02.000 --> 22:03.000 you, you might wonder, 22:03.000 --> 22:05.000 isn't there, like, like a problem here. 22:05.000 --> 22:09.000 If your, if your Kubernetes cluster is using itself 22:09.000 --> 22:11.000 to resolve names. 22:11.000 --> 22:14.000 How do you pull the images, right? 22:14.000 --> 22:16.000 How, how do you don't load the NS mask? 22:16.000 --> 22:19.000 If you depend on the NS mask to resolve, 22:19.000 --> 22:21.000 you know, Docker.io, 22:21.000 --> 22:25.000 or hopefully not, or GSER.io, or whatever. 22:25.000 --> 22:28.000 Well, is this a problem, yes? 22:28.000 --> 22:30.000 Does this set up bootstrap called, 22:30.000 --> 22:31.000 no, absolutely not. 22:31.000 --> 22:34.000 If I wipe everything and create the cluster from scratch, 22:34.000 --> 22:35.000 it will, 22:35.000 --> 22:36.000 not bootstrap. 22:36.000 --> 22:38.000 It will not self heal. 22:38.000 --> 22:40.000 That's in matter, 22:40.000 --> 22:42.000 I will say no, like, 22:43.000 --> 22:45.000 you know, there is no perfect system, 22:45.000 --> 22:47.000 all, all systems, all, 22:47.000 --> 22:51.000 every, very clever piece of infrastructure 22:51.000 --> 22:52.000 that you try to figure out. 22:52.000 --> 22:54.000 We'll have some problems. 22:54.000 --> 22:57.000 I think that's, that's hardly, hardly available. 22:57.000 --> 23:00.000 This thing will not bootstrap, 23:00.000 --> 23:03.000 but I, this is like not a problem for me. 23:03.000 --> 23:05.000 I will say why later. 23:05.000 --> 23:07.000 But first, I've, I've run in this setup 23:07.000 --> 23:09.000 in my network, I think, 23:10.000 --> 23:12.000 three, maybe four years. 23:12.000 --> 23:14.000 This situation, where the, 23:14.000 --> 23:16.000 where the cluster cannot start, 23:16.000 --> 23:18.000 it has, it has happened to me once. 23:18.000 --> 23:20.000 As I was telling you, 23:20.000 --> 23:22.000 the number of times that, 23:22.000 --> 23:26.000 a more, as less of a engineer set up in Kubernetes, 23:26.000 --> 23:28.000 has failed my network is, 23:28.000 --> 23:29.000 we used to be once a month. 23:29.000 --> 23:32.000 So that, that's an improvement by, by my books. 23:32.000 --> 23:36.000 Why is not a problem often? 23:36.000 --> 23:39.000 Because now it's will cache container images, obviously. 23:39.000 --> 23:41.000 You should use, if you use image, 23:41.000 --> 23:43.000 pull policy always, 23:43.000 --> 23:45.000 you should go to jail. 23:45.000 --> 23:46.000 This is bad. 23:46.000 --> 23:48.000 Don't do this ever. 23:48.000 --> 23:49.000 This is kind of a crime. 23:49.000 --> 23:50.000 Not the, not the, not the good kind, 23:50.000 --> 23:51.000 not the big aid to crime kind, 23:51.000 --> 23:52.000 the bad kind. 23:52.000 --> 23:54.000 Don't do that. 23:54.000 --> 23:58.000 And the redundancy and clever affinity, 23:58.000 --> 23:59.000 also helps a lot. 23:59.000 --> 24:02.000 So I haven't show lots of jamming here, 24:02.000 --> 24:04.000 but the key important thing, 24:04.000 --> 24:07.000 that is DNS mask and DNS mask proxy. 24:07.000 --> 24:09.000 This, like, tolerate the control pane, 24:09.000 --> 24:11.000 and will, at least one replica of this, 24:11.000 --> 24:12.000 will be in the control pane. 24:12.000 --> 24:14.000 So that way, if the control pane is up, 24:14.000 --> 24:15.000 at least we have something. 24:15.000 --> 24:17.000 We are, we are functional. 24:17.000 --> 24:19.000 And then everything else can start from there. 24:19.000 --> 24:21.000 And, and again, yeah, 24:21.000 --> 24:23.000 the, all nodes will, will, 24:23.000 --> 24:26.000 eventually, as pods move a bit around, 24:26.000 --> 24:28.000 all nodes, or most nodes, 24:28.000 --> 24:30.000 should have a local copy of this image. 24:30.000 --> 24:31.000 So that, that will be okay. 24:32.000 --> 24:34.000 In the event, this is not the case. 24:34.000 --> 24:36.000 Well, you get your hands on the keyboard, 24:36.000 --> 24:37.000 you go to a control pane, 24:37.000 --> 24:38.000 you edit resolve comp, 24:38.000 --> 24:40.000 you put quiet nine in there, 24:40.000 --> 24:42.000 and when everything stabilizes, you revert. 24:42.000 --> 24:44.000 It's not the end of the world. 24:44.000 --> 24:46.000 It takes two minutes. 24:46.000 --> 24:47.000 I promise. 24:47.000 --> 24:49.000 There is this thing I would like to try, 24:49.000 --> 24:51.000 I call, speaking, that, or a spagal, I guess. 24:51.000 --> 24:53.000 It's, it's not, it's not the, 24:53.000 --> 24:54.000 not the German world, 24:54.000 --> 24:55.000 it's a finished world, 24:55.000 --> 24:57.000 a Swedish world, actually, 24:57.000 --> 25:00.000 which is able to distribute container images across nodes. 25:00.000 --> 25:01.000 In a classic, this is quite nice. 25:01.000 --> 25:03.000 I don't use it because it doesn't support cryo, 25:03.000 --> 25:06.000 but I think it will also, it will also help with this. 25:06.000 --> 25:08.000 Okay. 25:08.000 --> 25:10.000 So take a ways. 25:10.000 --> 25:12.000 What, what, have a line? 25:12.000 --> 25:13.000 What I, what I think you should, 25:13.000 --> 25:15.000 you should get out of this room with, 25:15.000 --> 25:17.000 with within your head. 25:17.000 --> 25:19.000 DNS is very composable. 25:19.000 --> 25:20.000 It is, it is, it is, 25:20.000 --> 25:22.000 it should surprise nobody in this room, 25:22.000 --> 25:24.000 but it is, it's quite nice protocol. 25:24.000 --> 25:27.000 And, you can make cool stuff. 25:27.000 --> 25:29.000 You can compose, you can beligate. 25:29.000 --> 25:30.000 You can suck men. 25:30.000 --> 25:33.000 You can, like, divide and conquer your problem. 25:33.000 --> 25:35.000 Without doing complex stuff, 25:35.000 --> 25:37.000 I am scared of a, a, a, a, 25:37.000 --> 25:39.000 a, a, a, a, a, a, a, you don't need a, 25:39.000 --> 25:43.000 a, a, a, a, a, just beligate names to places. 25:43.000 --> 25:44.000 Quite nice. 25:44.000 --> 25:46.000 Kubernetes is, is like a nice, 25:46.000 --> 25:47.000 a, a, a, a, a system is, 25:47.000 --> 25:48.000 you already know a bit about it. 25:48.000 --> 25:50.000 If you already have some exposure to it, 25:50.000 --> 25:52.000 I, I, I, I recommend playing with, with this, 25:52.000 --> 25:53.000 with this, with this cool stuff, like, 25:53.000 --> 25:54.000 highly available and failover. 25:54.000 --> 25:57.000 It's like, really, again, game changer. 25:58.000 --> 26:02.000 Self-documented, good versions for a structure is like a, like, a treasure. 26:02.000 --> 26:05.000 Like, it's, it's, it's, I cannot, when I was like, 26:05.000 --> 26:08.000 22 years old, everything I wrote on a keyboard, 26:08.000 --> 26:09.000 live forever in my head. 26:09.000 --> 26:10.000 This is no longer the case. 26:10.000 --> 26:11.000 Absolutely, no. 26:11.000 --> 26:14.000 If I may, if I had made this thing, 26:14.000 --> 26:16.000 and not write it down as Yamil, 26:16.000 --> 26:18.000 four months after, 26:18.000 --> 26:19.000 I would remember nothing. 26:19.000 --> 26:21.000 So, having everything in, 26:21.000 --> 26:24.000 in a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 26:24.000 --> 26:25.000 like, really, really nice. 26:25.000 --> 26:27.000 And directed to this, your, 26:27.000 --> 26:30.000 the space that your brain has is finite. 26:30.000 --> 26:33.000 If you are able to reuse knowledge, 26:33.000 --> 26:34.000 that's like a superpower. 26:34.000 --> 26:36.000 Reuse import knowledge for me, 26:36.000 --> 26:37.000 means putting stuff on Kubernetes, 26:37.000 --> 26:39.000 because it is what I, what I already know. 26:39.000 --> 26:43.000 I recommend you figure how that pattern works for you. 26:43.000 --> 26:44.000 It may not be Kubernetes. 26:44.000 --> 26:45.000 It may be something else, 26:45.000 --> 26:48.000 but if you manage to optimize your brain to 26:48.000 --> 26:51.000 remember the stuff that you can reuse for other things, 26:52.000 --> 26:55.000 that's like a research for success in my opinion. 26:55.000 --> 26:56.000 And this is all. 26:56.000 --> 26:57.000 Thank you so much. 26:57.000 --> 26:58.000 Thank you. 26:58.000 --> 27:11.000 Thank you.