Consul DNS queries

[Jonathan Duncan]

Perhaps this is more of a question about how to correctly use network tools on macOS than about Consul DNS. But I think that Consul DNS is nuanced enough that this should probably be the place to get an answer.

I am trying to setup the dev machines in my office so that we can make DNS requests from our dev machines (macOS) to our Consul clusters. Our dev machines are not running any Consul agents.

I used the instructions here: https://www.consul.io/docs/guides/forwarding.html#macos-setup

I setup a domain file at: /etc/resolver/consul

The contents of that file look like this:

nameserver 171.21.1.11
nameserver 171.21.1.12
nameserver 171.21.2.11
nameserver 171.21.2.12
port 8600

There are entries for each server in each cluster. We have multiple datacenters with a cluster in each.

Here are some queries that work:

dig @172.28.1.11 -p 8600 public.SERVICENAME.service.DATACENTERNAME.consul  => success
dig @172.28.1.11 -p 8600 public.SERVICENAME.service.consul  => success

ping SERVICENAME.service.consul  => success
ping TAG.SERVICENAME.service.consul  => success
ping SERVICENAME  => works with "service.consul" in the search-domain

Here are queries that do not work:

nslookup public.liveaddress-us-street-api.service.linode-dallas.consul  => NXDOMAIN
nslookup liveaddress-us-street-api.service.linode-dallas.consul  => NXDOMAIN
nslookup liveaddress-us-street-api.service.consul  => NXDOMAIN


dig SERVICENAME.service.consul  => NXDOMAIN
dig SERVICENAME.service.DATACENTER.consul  => NXDOMAIN


host service.consul  => NXDOMAIN
host SERVICENAME.service.consul  => NXDOMAIN
host SERVICENAME.service.DATACENTER.consul  => NXDOMAIN

What am I doing wrong with these?

It appears that I can dig when I specify a server and a port, but then why even have the /etc/resolver/consul file?

I am open to any tips or directions.

Thank you.

[Jonathan Duncan]

Anyone out there do network queries to the .consul domain on the command line? I doubt I am the only one. Though I admit the high likelihood that I am holding it wrong. :)

The results of "scutil --dns" are:

resolver #8
  domain   : consul
  nameserver[0] : 171.21.1.11
  nameserver[1] : 171.21.1.12
  nameserver[2] : 171.21.2.11
  port     : 8600
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

I suppose instead of trying to use standard network tools I could just run a consul agent on my dev box and do catalog queries.

[Jonathan Duncan]

I was just reading in "man 5 resolver" and came across this under the "nameserver" definition: "Up to MAXNS (currently 3) name servers may be listed". I guess the 12 name servers I have listed (each consul server in all data centers) are probably not being used. Instead of having just one file for all of them ("/etc/resolver/consul"), I could split them into datacenters, eg "/etc/resolver/dc1.consul". But then I would need to specify the datacenter each time. I really just want to access all servers with the "consul" name.

[Jonathan Duncan]

It appears that doing DNS related queries may work best if the "/etc/resolver/consul" file contains only "nameserver 127.0.0.1" and "port 8600". Then have a consul agent running locally to interpret DNS queries that are related to consul. I was hoping I could get away with not running a consul agent locally, but it looks like that is probably the recommended way to do it.

https://www.consul.io/docs/agent/dns.html

[Jonathan Duncan]

Then again, perhaps doing queries on local workstations is not recommended. I could always just remote into a remote node that is running a consul agent and do queries from there. Though it would be handy to have the option to run queries locally as I dev/ops.

[George Chilumbu]

If for example you had a service like this:

{
    "services": [
        {
            "name": "db-test",
            "tags": [
                "mysql",
                "reader"
            ],
            "port": 3306,
            "checks": [
                {
                    "script": "/etc/consul.d/scripts/mysql.sh",
                    "interval": "5s"
                }
            ]
        }
    ]
}

You can call the service using the command:

  dig @127.0.0.1 -p 8600 db-test.service.consul

And you should see results like this:

george@db-test-1 [~] [22:05] dig @127.0.0.1 -p 8600 db-test.service.consul


; <<>> DiG 9.9.5-3ubuntu0.14-Ubuntu <<>> @127.0.0.1 -p 8600 db-test.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25452
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;db-test.service.consul. IN A


;; ANSWER SECTION:
db-test.service.consul. 0 IN A 10.19.3.206


;; Query time: 8 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Tue Jan 30 22:05:49 CST 2018
;; MSG SIZE  rcvd: 67


george@db-test-1 [~] [22:05]

Checkout this consul setup and DNS query tutorial here

[James Phillips]

I'm definitely not well-versed in macOS DNS but if you could run
something like dnsmasq locally you could use that to send .consul
lookups to your consul servers and then send everything else off to
your corp DNS. That would be easier than running the Consul agent
locally on your dev machines -
https://www.consul.io/docs/guides/forwarding.html#dnsmasq-setup. Hope
that helps!

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/consul/issues
> IRC: #consul on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Consul" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to consul-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/consul-tool/87e3cd29-0a3d-4afd-92a5-11a1a71854f3%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Om]

Hi Jonathan,

 As James stated on other post, using DNSMASQ is a potential option.

couple of things to try.

• Install DNSMASQ on MAC
  
• Add the consul server on the /etc/dnsmas.d/10-consul.conf file like (#make sure there is no firewall preventing access to the consul servers for UDP on port 8600)
• server=/consul/remoteconsulserverip1#8600
• server=/consul/remoteconsulserverip2#8600
• server=/consul/remoteconsulserverip3#8600
• server=/consul/remoteconsulserverip4#8600
• Add an entry on /etc/resolv.conf file as the first nameserver)
• nameserver = 127.0.0.1  (#this is to invoke the DNSMASQ daemon first to do DNS resolution)
• Start DNSMASQ  
• this will by default execute DNS in sequence against the servers one by one listed on the dnsmasq conf file. 
• You can also start DNSMASQ agent with --all-server  option, so it fires the queries to all the server in the file and will consider the first response

With this when you dig service-name.service.consul it hits your remote consul server and get you a response.

Hopefully it helps.

Om.