Add systemd-resolved DNS forwarding guide #4191
Conversation
|
|
||
| systemd-resolved is typically configured with `/etc/systemd/resolved.conf`. | ||
| To configure systemd-resolved to send queries for the consul domain to | ||
| Consul, configure resolved.conf to contain the following: |
There was a problem hiding this comment.
nitpick: I'd put systemd-resolved in code fences as it reads a bit funny if it's not clearly the name of a binary. Might not be consistent with other docs here I guess...
| ``` | ||
| [root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 | ||
| [root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 | ||
| ``` |
There was a problem hiding this comment.
@mkeeler How about using the expanded flags, making it easier to understand.
iptables --table nat --append OUTPUT --protocol udp --destination localhost --match udp --dport 53 --jump REDIRECT --to-ports 8600
- Also, I'm curious if the
--matchflag is needed? - Would there be any benefit to adding
--out-interface lo, to restrict this to the loopback interface?
There was a problem hiding this comment.
So all I did was copy two of the necessary iptables rules from the iptables section of the forwarding guide which use the shortened -t -A -d etc.
As for the --match and --out-interface: --out-interface should be redundant as the destination being matches is localhost. Unless you have configured localhost to map to another IP or are doing something very wrong with your routing this should be adequate to restrict it to the loopback interface. The -m flags are definitely needed in order to only forward 53 to 8600 and not all UDP traffic.
| @@ -155,6 +156,32 @@ You may have to add the following line to the bottom of your | |||
| include: "/etc/unbound/unbound.conf.d/*.conf" | |||
| ``` | |||
|
|
|||
| ### systemd-resolved Setup | |||
There was a problem hiding this comment.
doesn't fully work for me, i also have to
sudo rm -rf /etc/resolv.conf
change /etc/resolv.conf to
nameserver 127.0.0.1
nameserver 127.0.0.53
|
Do you guys have any documentation on how to make resolve reverse lookup queries by external DNS only? After following the guid from this PR, my node is resolving it's FQDN by two different name servers, depending which one was picked by systemd-resolved. |
|
Hey @otrapeznikov asking questions on old closed PRs can mean they get lost. I suggest you head over to https://discuss.hashicorp.com/c/consul to ask there and get attention from the Consul community and engineers! Thanks! |
Fixes #4155
Added a section to the docs on how to forward DNS queries for the consul domain to Consul using systemd-resolved configuration.