DNS Requests to Port 53 Over TCP Timeout

Hey all! I've been trying to get a pihole pod up and running in my k3s install with Traefik as the ingress controller (installed using the official helm repo traefik/traefik). so far I've managed to get both the Traefik dashboard up and running, and can access the pihole admin dashboard as well. I can make DNS requests using dig to the port 53/udp in pihole:

$ dig +notcp @192.168.86.30 google.com

; <<>> DiG 9.16.1-Ubuntu <<>> +notcp @192.168.86.30 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54130
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             62      IN      A       142.250.190.78

;; Query time: 29 msec
;; SERVER: 192.168.86.30#53(192.168.86.30)
;; WHEN: Tue Oct 12 21:56:39 EDT 2021
;; MSG SIZE  rcvd: 55

However, I can't get the same over TCP:

$ dig +tcp @192.168.86.30 google.com

; <<>> DiG 9.16.1-Ubuntu <<>> +tcp @192.168.86.30 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

My k3s services are as such:

apiVersion: v1
kind: Service
metadata:
  name: pihole-web
spec:
  ports:
    - name: http
      port: 8008
      protocol: TCP
      targetPort: 80
  selector:
    app: pihole
---
apiVersion: v1
kind: Service
metadata:
  name: pihole-dns-tcp
spec:
  ports:
    - name: tcp-dns
      port: 5354
      protocol: TCP
      targetPort: 53
  selector:
    app: pihole
---
apiVersion: v1
kind: Service
metadata:
  name: pihole-dns-udp
spec:
  ports:
    - name: udp-dns
      port: 5353
      protocol: UDP
      targetPort: 53
  selector:
    app: pihole

my ingresses are as such:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: pihole-ingress
  namespace: pihole
spec:
  rules:
    - http:
        paths:
          - path: /admin
            pathType: Prefix
            backend:
              service:
                name: pihole-web
                port:
                  number: 8008
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: pihole-dns-tcp-ingress
spec:
  entryPoints:
    - tcp-dns
  routes:
    - match: HostSNI(`*`)
      services:
        - name: pihole-dns-tcp
          port: 5354
          weight: 10
          proxyProtocol:
            version: 1
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: pihole-dns-udp-ingress
spec:
  entryPoints:
    - udp-dns
  routes:
    - services:
        - name: pihole-dns-udp
          port: 5353
          weight: 10

and my entry points are defined here:

udp-dns:
    port: 5053
    expose: true
    exposedPort: 53
    protocol: UDP
  tcp-dns:
    port: 5054
    expose: true
    exposedPort: 53
    protocol: TCP

The port selections are for my own sanity so I can recognize them when I look at the. I've exec'd into the pods and verified that I can make both tcp and udp dns requests to localhost from the pihole pod itself, as well as to the k3s internal IP/port of both the tcp and udp services, but I can't validate that the TCP ingress works. Is there a configuration I'm missing, or some config problems that I'm running into? Thanks for your help!

Hello @alevan

Thanks for using Traefik.

Seems that ProxyProtocol that is explicitly configured on a service level is not understandable by the service (DNS). Can you please try to remove that attribute and try it once again?

Thank you,

That solved it, thank you very much!