-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add systemd-resolved DNS forwarding guide #4191
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems good assuming that info is all true ;)
|
||
systemd-resolved is typically configured with `/etc/systemd/resolved.conf`. | ||
To configure systemd-resolved to send queries for the consul domain to | ||
Consul, configure resolved.conf to contain the following: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: I'd put systemd-resolved
in code fences as it reads a bit funny if it's not clearly the name of a binary. Might not be consistent with other docs here I guess...
``` | ||
[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 | ||
[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mkeeler How about using the expanded flags, making it easier to understand.
iptables --table nat --append OUTPUT --protocol udp --destination localhost --match udp --dport 53 --jump REDIRECT --to-ports 8600
- Also, I'm curious if the
--match
flag is needed? - Would there be any benefit to adding
--out-interface lo
, to restrict this to the loopback interface?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So all I did was copy two of the necessary iptables rules from the iptables section of the forwarding guide which use the shortened -t -A -d etc.
As for the --match and --out-interface: --out-interface should be redundant as the destination being matches is localhost. Unless you have configured localhost to map to another IP or are doing something very wrong with your routing this should be adequate to restrict it to the loopback interface. The -m flags are definitely needed in order to only forward 53 to 8600 and not all UDP traffic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good!
@@ -155,6 +156,32 @@ You may have to add the following line to the bottom of your | |||
include: "/etc/unbound/unbound.conf.d/*.conf" | |||
``` | |||
|
|||
### systemd-resolved Setup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't fully work for me, i also have to
sudo rm -rf /etc/resolv.conf
change /etc/resolv.conf to
nameserver 127.0.0.1
nameserver 127.0.0.53
Do you guys have any documentation on how to make resolve reverse lookup queries by external DNS only? After following the guid from this PR, my node is resolving it's FQDN by two different name servers, depending which one was picked by systemd-resolved. |
Hey @otrapeznikov asking questions on old closed PRs can mean they get lost. I suggest you head over to https://discuss.hashicorp.com/c/consul to ask there and get attention from the Consul community and engineers! Thanks! |
Fixes #4155
Added a section to the docs on how to forward DNS queries for the consul domain to Consul using systemd-resolved configuration.