From 3fdee42986c28ed360972782858a73a8901c37ee Mon Sep 17 00:00:00 2001
From: Quan Tian <quan.tian@broadcom.com>
Date: Tue, 16 Apr 2024 18:09:58 +0800
Subject: [PATCH] Document Pods using FQDN based policies must respect DNS TTL

Signed-off-by: Quan Tian <quan.tian@broadcom.com>
---
 docs/antrea-network-policy.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md
index af036c7e887..3c7de27ad35 100644
--- a/docs/antrea-network-policy.md
+++ b/docs/antrea-network-policy.md
@@ -1366,6 +1366,13 @@ Antrea will only program datapath rules for actual egress traffic towards these
 on DNS results. It will not interfere with DNS packets, unless there is a separate policy
 dropping/rejecting communication between the DNS components and the Pods selected.
 
+Antrea respects the TTL of DNS records, expiring stale IPs that are absent in more recent
+records according to their TTL. Therefore, Pods employing FQDN based policies ought to refrain
+from caching a DNS record for a duration exceeding its TTL. Otherwise, FQDN based policies may
+intermittently fail to function as intended. Typically, the Java virtual machine (JVM) caches
+DNS records for a fixed period of time, controlled by `networkaddress.cache.ttl`. In this
+case, it’s crucial to set the JVM’s TTL to 0 so that FQDN based policies can work properly.
+
 Note that FQDN based policies do not work for [Service DNS names created by
 Kubernetes](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services)
 (e.g. `kubernetes.default.svc` or `antrea.kube-system.svc`), except for headless