Merge pull request #4191 from hashicorp/doc-gh-4155

Add systemd-resolved DNS forwarding guide
This commit is contained in:
Matt Keeler 2018-06-11 10:01:17 -04:00 committed by GitHub
commit 429d2379aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 1 deletions

View File

@ -16,7 +16,8 @@ running on an unprivileged port, from another DNS server or port redirect.
In this guide, we will demonstrate forwarding from In this guide, we will demonstrate forwarding from
[BIND](https://www.isc.org/downloads/bind/) as well as [BIND](https://www.isc.org/downloads/bind/) as well as
[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html), [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html),
[Unbound](https://www.unbound.net/), and [iptables](http://www.netfilter.org/). [Unbound](https://www.unbound.net/),
[systemd-resolved](https://www.freedesktop.org/wiki/Software/systemd/resolved/), and [iptables](http://www.netfilter.org/).
For the sake of simplicity, BIND and Consul are running on the same machine in For the sake of simplicity, BIND and Consul are running on the same machine in
this example. For iptables the rules must be set on the same host as the Consul this example. For iptables the rules must be set on the same host as the Consul
instance and relay hosts should not be on the same host or the redirects will instance and relay hosts should not be on the same host or the redirects will
@ -155,6 +156,32 @@ You may have to add the following line to the bottom of your
include: "/etc/unbound/unbound.conf.d/*.conf" include: "/etc/unbound/unbound.conf.d/*.conf"
``` ```
### systemd-resolved Setup
`systemd-resolved` is typically configured with `/etc/systemd/resolved.conf`.
To configure systemd-resolved to send queries for the consul domain to
Consul, configure resolved.conf to contain the following:
```
DNS=127.0.0.1
Domains=~consul
```
The main limitation with this configuration is that the DNS field
cannot contain ports. So for this to work either Consul must be
[configured to listen on port 53](https://www.consul.io/docs/agent/options.html#dns_port)
instead of 8600 or you can use iptables to map port 53 to 8600.
The following iptables commands are sufficient to do the port
mapping.
```
[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
```
Note: With this setup, PTR record queries will still be sent out
to the other configured resolvers in addition to Consul.
### iptables Setup ### iptables Setup
On Linux systems that support it, incoming requests and requests to On Linux systems that support it, incoming requests and requests to