From 82dbc38becfde710edb01146eb68a07bd0085f8b Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Fri, 3 Jan 2025 01:37:49 +0800
Subject: [PATCH] fix(k8s-gateway): use DoT upstreams

FortiGate had bad DNS server, which created a loop of k8sgw hitting FGT, failing, then falling back to CF, and since DNS sessions are not NPU accelerated by FGT 40F's NPU6XLITE, 50k UDP/53 CPU sessions were open
---
 .../core/dns/internal/k8s-gateway/app/hr.yaml | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml b/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml
index bef6da98..3a178c21 100644
--- a/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml
+++ b/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml
@@ -40,26 +40,26 @@ spec:
       # Serves a /metrics endpoint on :9153, required for serviceMonitor
       - name: prometheus
         parameters: 0.0.0.0:9153
-      - &forward
+      - &forward # DNS chain if NXDOMAIN: Blocky (optional) --> FortiGate recursive DNS server --> k8s-gateway --> Cloudflare, DoT used because FortiGate 40F's NPU6XLITE doesn't offload UDP/53 plaintext DNS records
         name: forward
-        parameters: "${DNS_SHORT} ${UPSTREAM}"
-        configBlock: "policy sequential"
+        parameters: "${DNS_SHORT} tls://1.1.1.1 tls://1.0.0.1"
+        configBlock: "tls_servername one.one.one.one"
       - <<: *forward
-        parameters: "${DNS_MAIN} ${UPSTREAM}"
+        parameters: "${DNS_MAIN} tls://1.1.1.1 tls://1.0.0.1"
       - <<: *forward
-        parameters: "${DNS_VPN} ${UPSTREAM}"
+        parameters: "${DNS_VPN} tls://1.1.1.1 tls://1.0.0.1"
       - <<: *forward
-        parameters: "${DNS_STREAM} ${UPSTREAM}"
+        parameters: "${DNS_STREAM} tls://1.1.1.1 tls://1.0.0.1"
       - <<: *forward
-        parameters: "${DNS_ME} ${UPSTREAM}"
+        parameters: "${DNS_ME} tls://1.1.1.1 tls://1.0.0.1"
       - <<: *forward
-        parameters: "${DNS_HOME} ${UPSTREAM}"
+        parameters: "${DNS_HOME} tls://1.1.1.1 tls://1.0.0.1"
       - <<: *forward
-        parameters: "${DNS_INTERNAL} ${UPSTREAM}"
+        parameters: "${DNS_INTERNAL} tls://1.1.1.1 tls://1.0.0.1"
       - <<: *forward
-        parameters: "${DNS_FUNNY} ${UPSTREAM}"
+        parameters: "${DNS_FUNNY} tls://1.1.1.1 tls://1.0.0.1"
       - name: forward
-        parameters: ". /etc/resolv.conf"
+        parameters: ". tls://${IP_ROUTER_VLAN_K8S}"
       - name: loop
       - name: reload
       - name: loadbalance