From 7a0ca2456f52186a14b91ff10acc676fb098e3cb Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Mon, 4 Jun 2018 13:43:47 -0400 Subject: [PATCH 1/3] Update DNS forwarding docs to include how to use with systemd-resolved --- website/source/docs/guides/forwarding.html.md | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/website/source/docs/guides/forwarding.html.md b/website/source/docs/guides/forwarding.html.md index 99e50981d..1c4478938 100644 --- a/website/source/docs/guides/forwarding.html.md +++ b/website/source/docs/guides/forwarding.html.md @@ -16,7 +16,8 @@ running on an unprivileged port, from another DNS server or port redirect. In this guide, we will demonstrate forwarding from [BIND](https://www.isc.org/downloads/bind/) as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html), -[Unbound](https://www.unbound.net/), and [iptables](http://www.netfilter.org/). +[Unbound](https://www.unbound.net/), +[systemd-resolved](https://www.freedesktop.org/wiki/Software/systemd/resolved/), and [iptables](http://www.netfilter.org/). For the sake of simplicity, BIND and Consul are running on the same machine in this example. For iptables the rules must be set on the same host as the Consul instance and relay hosts should not be on the same host or the redirects will @@ -155,6 +156,29 @@ You may have to add the following line to the bottom of your include: "/etc/unbound/unbound.conf.d/*.conf" ``` +### systemd-resolved Setup + +systemd-resolved is typically configured with `/etc/systemd/resolved.conf`. +To configure systemd-resolved to send queries for the consul domain to +Consul, configure resolved.conf to contain the following: + +``` +DNS=127.0.0.1 +Domains=~consul +``` + +The main limitation with this configuration is that the DNS field +cannot contain ports. So for this to work either Consul must be +[configured to listen on port 53](https://www.consul.io/docs/agent/options.html#dns_port) +instead of 8600 or you can use iptables to map port 53 to 8600. +The following iptables commands are sufficient to do the port +mapping. + +``` +[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 +[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 +``` + ### iptables Setup On Linux systems that support it, incoming requests and requests to From ac2bd6bb452a5765a7de41b7c097edb90cbdb1ad Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Mon, 4 Jun 2018 13:56:34 -0400 Subject: [PATCH 2/3] Mention that PTR queries get sent to all resolvers --- website/source/docs/guides/forwarding.html.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/website/source/docs/guides/forwarding.html.md b/website/source/docs/guides/forwarding.html.md index 1c4478938..784d2a903 100644 --- a/website/source/docs/guides/forwarding.html.md +++ b/website/source/docs/guides/forwarding.html.md @@ -179,6 +179,9 @@ mapping. [root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 ``` +Note: With this setup, PTR record queries will still be sent out +to the other configured resolvers in addition to Consul. + ### iptables Setup On Linux systems that support it, incoming requests and requests to From cbf27d8c304400612e5369e394151009d839fc0a Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Tue, 5 Jun 2018 10:38:42 -0400 Subject: [PATCH 3/3] Put systemd-resolved in backticks --- website/source/docs/guides/forwarding.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/guides/forwarding.html.md b/website/source/docs/guides/forwarding.html.md index 784d2a903..87824a22f 100644 --- a/website/source/docs/guides/forwarding.html.md +++ b/website/source/docs/guides/forwarding.html.md @@ -158,7 +158,7 @@ include: "/etc/unbound/unbound.conf.d/*.conf" ### systemd-resolved Setup -systemd-resolved is typically configured with `/etc/systemd/resolved.conf`. +`systemd-resolved` is typically configured with `/etc/systemd/resolved.conf`. To configure systemd-resolved to send queries for the consul domain to Consul, configure resolved.conf to contain the following: