Adding more detail about best use case.

This commit is contained in:
fusiondog 2016-06-09 14:29:54 -07:00 committed by GitHub
parent 9c10bd0b23
commit 832eb77103

View file

@ -11,12 +11,13 @@ description: |-
By default, DNS is served from port 53. On most operating systems, this
requires elevated privileges. Instead of running Consul with an administrative
or root account, it is possible to instead forward appropriate queries to Consul,
running on an unprivileged port, from another DNS server.
running on an unprivileged port, from another DNS server or port redirect.
In this guide, we will demonstrate forwarding from [BIND](https://www.isc.org/downloads/bind/)
as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) and [iptables](http://www.netfilter.org/).
For the sake of simplicity, BIND and Consul are running on the same machine in this example,
but this is only required for iptables.
For the sake of simplicity, BIND and Consul are running on the same machine in this example. For iptables the
rules must be set on the same host as the Consul instance and relay hosts should not be on the same host or
the redirects will intercept the traffic.
It is worth mentioning that, by default, Consul does not resolve DNS
records outside the `.consul.` zone unless the
@ -131,7 +132,12 @@ for additional details):
On Linux systems that support it, incoming requests and requests to localhost can use `iptables`
to forward ports on the same machine without a secondary service. Since Consul, by default, only
resolves the `.consul` TDL, it is especially important to use the `recursors` option if you wish the
`iptables` setup to resolve for other domains.
`iptables` setup to resolve for other domains. The recursors should not include the localhost as the
redirects would just intercept the requests. The iptables method is suited for situations where an
external DNS service is already running in your infrastructure is used as the recursor or if you want
to use an existing DNS server as your query endpoint and forward requests for the consul domain to the
consul server. In both of those cases you may want to query the consul server but not need the overhead
of a separate service on the consul host.
```
[root@localhost ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600