Consul DNS Features on Windows without dnsmasq

[Rajinder Singh]

We are trying to implement consul on Windows platform. How does one go about making use of Consul DNS on windows without resolve.conf and dnsmasq?

What is the equivalent functionality on windows? Is it adding DNS suffix with PowerShell?

We found acrylic proxy but were unable to get it installed in an automated manner.

Thanks

[Wesley Staples]

We have a fairly standard Windows Domain setup. We have a number of domain controllers (DC servers) that serve DNS. Normally our workstations are configured to get IP/DNS information from DHCP. There are a couple of different stratagies that I employ to override DNS for consul. Both involve a program called “Acrylic DNS Proxy” http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome. Its free and open source. Once acrylic is installed you have to configure windows to use it as a DNS server which is very easy. The instructions are on their website.

Option #1: Consul does everything

1. Configure your Consul servers to have your domain controllers as “recursors”. https://www.consul.io/docs/agent/options.html#_recursor
2. Configure acrylic to use 127.0.0.1 port 8600 as the primary dns server
3. Done

Option #2: Consul only handles .consul domain

1. Consul servers do not need to be setup as recursors
2. Setup acrylic to use 127.0.0.1 port 8600 as the primary dns server
3. Set the PrimaryServerDomainNameAffinityMask to *.consul
4. Make sure to set a secondary DNS server (or more) that point at the real DNS servers (domain controllers)
5. Done

Option #3: Consul is “upstream”

1. Make no changes to your Consul servers or agents
2. Do not change windows DNS configuration
3. Configure your DC DNS servers to forward requests to the .consul domain to the consul servers.

The disadvantage to the last option is that it only supports 1 consul datacenter. It makes it a little more difficult to point things at a development environment. It does have the advantage of not needing a consul agent to work.

[Wesley Staples]

We installed acrylic with a silent installer I'm trying to find the documents we had.

[Rajinder Singh]

Wesley,

Thank for sharing this information. This is very timely as I am about to setup Consul on AWS and Azure on 2 different windows environments.

In AWS and Azure our windows servers are not domain joined so we are relying on AWS and Azure provided DNS inside the VPC/VNET.

We don't use AWS private hosted DNS yet.

So option 1 or 2 may be more appropriate for us. I am leaning towards option 1.

Let me know if you see any problems with this.

[Wesley Staples]

That seems like it should work fine. I couldn't find my notes by the acrylic install went something like:

rem the /S is for silent install
Acrylic.exe /S

rem cd into acrylics install dir
cd "C:\Program Files (x86)\Acrylic DNS Proxy"

rem stop acrylic
AcrylicController StopAcrylicServiceSilently

rem make a backup of the original config
copy AcrylicConfiguration.ini AcrylicConfiguration.bak

rem replace the config with your template
copy c:\path\to\MyAcrylicConfiguration.ini AcrylicConfiguration.ini

rem start acrylic
AcrylicController StartAcrylicServiceSilently

[Rajinder Singh]

Wesley,

We went with option 2. Your instructions for Acrylic install worked for us.

Consul agent is running

Vault is running as well

Acrylic is running.

Here is our Acrylic config

[GlobalSection]

PrimaryServerAddress=127.0.0.1

PrimaryServerPort=8600

PrimaryServerProtocol=UDP

PrimaryServerDomainNameAffinityMask=*.consul

IgnoreNegativeResponsesFromPrimaryServer=No

SecondaryServerAddress=10.227.0.2

SecondaryServerPort=53

SecondaryServerProtocol=UDP

IgnoreNegativeResponsesFromSecondaryServer=No

AddressCacheDisabled=Yes

LocalIPv4BindingAddress=0.0.0.0

LocalIPv4BindingPort=53

LocalIPv6BindingAddress=0:0:0:0:0:0:0:0

LocalIPv6BindingPort=53

LocalIPv6BindingEnabledOnWindowsVersionsPriorToWindowsVistaOrWindowsServer2008=No

GeneratedResponseTimeToLive=60

[AllowedAddressesSection]

[CacheExceptionsSection]

[WhiteExceptionsSection]

HitLogFileName=HitLog.%DATE%.txt

HitLogFileWhat=BHCFRU

10.227.0.2 is the IP address for the AWS DNS Server for our VPC.

We did not change Acrylichosts.txt

127.0.0.1 localhost localhost.localdomain

::1 localhost localhost.localdomain

C:\dig>dig @127.0.0.1 -p 8600 vault.service.consul. ANY

 

; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 -p 8600 vault.service.consul. ANY

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61820

;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; WARNING: recursion requested but not available

 

;; QUESTION SECTION:

;vault.service.consul.          IN      ANY

 

;; ANSWER SECTION:

vault.service.consul.   0       IN      A       10.227.4.14

vault.service.consul.   0       IN      A       10.227.132.224

 

;; Query time: 2 msec

;; SERVER: 127.0.0.1#8600(127.0.0.1)

;; WHEN: Wed Mar 08 19:20:11 Coordinated Universal Time 2017

;; MSG SIZE  rcvd: 70

 

 

These IP addresses look correct to me. So vault service did register correctly with Consul.

However, if I just try to access vault with vault.service.consul it does not resolve.

For example I tried to initialize vault

$resp = Invoke-RestMethod -Method Put -Body $json -Uri "https://vault.service.consul:8200/v1/sys/init" -OutFile "C:\Windows\Temp\vault.init"

I got an error he remote name could not be resolved: 'vault.service.consul'"

consul.service.consul also does not resolve.

I turned on debug logging but I did not anything useful.

I turned on HitLogfile for acrylic but nothing is logged even after I restart the acrylic service.

AcrylicCache.txt file stays empty no matter which web pages I access.

Acrylic service is running without errors as far as I can tell.

This is the only issue left for us to get our environment running.

I will appreciate any suggestions you have.

Thanks