sstent/LogSeqDB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
sstent
2025-12-11 06:26:12 -08:00
commit 4662fe2d3b
2327 changed files with 114173 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
logseq/bak/pages/Scripts/Configuring Consul DNS Forwarding in Ubuntu 16.04/2025-08-02T12_36_01.764Z.android.md Normal file
View File

@@ -0,0 +1,136 @@
---
title: Configuring Consul DNS Forwarding in Ubuntu 16.04
updated: 2021-09-01 13:45:43Z
created: 2021-09-01 13:45:43Z
source: https://andydote.co.uk/2019/05/29/consul-dns-forwarding/
---
## DEPRECATED - This doesnt work properly
[Please see this post for an updated version which works!](https://andydote.co.uk/2019/09/24/consul-ubuntu-dns-revisited/)
* * *
One of the advantages of using [Consul](https://www.consul.io/) for service discovery is that besides an HTTP API, you can also query it by DNS.
The DNS server is listening on port `8600` by default, and you can query both A records or SRV records from it. [SRV](https://en.wikipedia.org/wiki/SRV_record) records are useful as they contain additional properties (`priority`, `weight` and `port`), and you can get multiple records back from a single query, letting you do load balancing client side:
```bash
$ dig @localhost -p 8600 consul.service.consul SRV +short
1 10 8300 vagrant1.node.dc1.consul.
1 14 8300 vagrant2.node.dc1.consul.
2 100 8300 vagrant3.node.dc1.consul.
```
A Records are also useful, as it means we should be able to treat services registered to Consul like any other domain - but it doesnt work:
```bash
$ curl http://consul.service.consul:8500
curl: (6) Could not resolve host: consul.service.consul
```
The reason for this is that the systems built-in DNS resolver doesnt know how to query Consul. We can, however, configure it to forward any `*.consul` requests to Consul.
## [](#solution---forward-dns-queries-to-consul)Solution - Forward DNS queries to Consul
As I usually target Ubuntu based machines, this means configuring `systemd-resolved` to forward to Consul. However, we want to keep Consul listening on its default port (`8600`), and `systemd-resolved` can only forward requests to port `53`, so we need also to configure `iptables` to redirect the requests.
The steps are as follows:
1. Configure `systemd-resolved` to forward `.consul` TLD queries to the local consul agent
2. Configure `iptables` to redirect `53` to `8600`
So lets get to it!
### [](#1-make-iptables-persistent)1\. Make iptables persistent
IPTables configuration changes dont persist through reboots, so the easiest way to solve this is with the `iptables-persistent` package.
Typically I am scripting machines (using \[Packer\] or \[Vagrant\]), so I configure the install to be non-interactive:
```bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive apt install -yq iptables-persistent
```
### [](#2-update-systemd-resolved)2\. Update Systemd-Resolved
The file to change is `/etc/systemd/resolved.conf`. By default it looks like this:
```bash
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#DNSSEC=no
```
We need to change the `DNS` and `Domains` lines - either editing the file by hand, or scripting a replacement with `sed`:
```bash
sudo sed -i 's/#DNS=/DNS=127.0.0.1/g; s/#Domains=/Domains=~consul/g' /etc/systemd/resolved.conf
```
The result of which is the file now reading like this:
```bash
[Resolve]
DNS=127.0.0.1
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Domains=~consul
#LLMNR=yes
#DNSSEC=no
```
By specifying the `Domains` as `~consul`, we are telling resolvd to forward requests for the `consul` TLD to the server specified in the `DNS` line.
### [](#3-configure-resolvconf-too)3\. Configure Resolvconf too
For compatibility with some applications (e.g. `curl` and `ping`), we also need to update `/etc/resolv.conf` to specify our local nameserver. You do this **not** by editing the file directly!
Instead, we need to add `nameserver 127.0.0.1` to `/etc/resolvconf/resolv.conf.d/head`. Again, I will script this, and as we need `sudo` to write to the file, the easiest way is to use `tee` to append the line and then run `resolvconf -u` to apply the change:
```bash
echo "nameserver 127.0.0.1" | sudo tee --append /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u
```
### [](#configure-iptables)Configure iptables
Finally, we need to configure iptables so that when `systemd-resolved` sends a DNS query to localhost on port `53`, it gets redirected to port `8600`. Well do this for both TCP and UDP requests, and then use `netfilter-persistent` to make the rules persistent:
```bash
sudo iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
sudo iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
sudo netfilter-persistent save
```
## [](#verification)Verification
First, we can test that both Consul and Systemd-Resolved return an address for a consul service:
```bash
$ dig @localhost -p 8600 consul.service.consul +short
10.0.2.15
$ dig @localhost consul.service.consul +short
10.0.2.15
```
And now we can try using `curl` to verify that we can resolve consul domains and normal domains still:
```bash
$ curl -s -o /dev/null -w "%{http_code}\n" http://consul.service.consul:8500/ui/
200
$ curl -s -o /dev/null -w "%{http_code}\n" http://google.com
301
```
## [](#end)End
There are also guides available on how to do this on [Hashicorps website](https://learn.hashicorp.com/consul/security-networking/forwarding), covering other DNS resolvers too (such as BIND, Dnsmasq, Unbound).

136
logseq/bak/pages/Scripts/Configuring Consul DNS Forwarding in Ubuntu 16.04/2025-08-02T12_38_58.668Z.android.md Normal file
View File

@@ -0,0 +1,136 @@
---
title: Configuring Consul DNS Forwarding in Ubuntu 16.04
updated: 2021-09-01 13:45:43Z
created: 2021-09-01 13:45:43Z
source: https://andydote.co.uk/2019/05/29/consul-dns-forwarding/
---
## DEPRECATED - This doesnt work properly
[Please see this post for an updated version which works!](https://andydote.co.uk/2019/09/24/consul-ubuntu-dns-revisited/)
* * *
One of the advantages of using [Consul](https://www.consul.io/) for service discovery is that besides an HTTP API, you can also query it by DNS.
The DNS server is listening on port `8600` by default, and you can query both A records or SRV records from it. [SRV](https://en.wikipedia.org/wiki/SRV_record) records are useful as they contain additional properties (`priority`, `weight` and `port`), and you can get multiple records back from a single query, letting you do load balancing client side:
```bash
$ dig @localhost -p 8600 consul.service.consul SRV +short
1 10 8300 vagrant1.node.dc1.consul.
1 14 8300 vagrant2.node.dc1.consul.
2 100 8300 vagrant3.node.dc1.consul.
```
A Records are also useful, as it means we should be able to treat services registered to Consul like any other domain - but it doesnt work:
```bash
$ curl http://consul.service.consul:8500
curl: (6) Could not resolve host: consul.service.consul
```
The reason for this is that the systems built-in DNS resolver doesnt know how to query Consul. We can, however, configure it to forward any `*.consul` requests to Consul.
## [](#solution---forward-dns-queries-to-consul)Solution - Forward DNS queries to Consul
As I usually target Ubuntu based machines, this means configuring `systemd-resolved` to forward to Consul. However, we want to keep Consul listening on its default port (`8600`), and `systemd-resolved` can only forward requests to port `53`, so we need also to configure `iptables` to redirect the requests.
The steps are as follows:
1. Configure `systemd-resolved` to forward `.consul` TLD queries to the local consul agent
2. Configure `iptables` to redirect `53` to `8600`
So lets get to it!
### [](#1-make-iptables-persistent)1\. Make iptables persistent
IPTables configuration changes dont persist through reboots, so the easiest way to solve this is with the `iptables-persistent` package.
Typically I am scripting machines (using \[Packer\] or \[Vagrant\]), so I configure the install to be non-interactive:
```bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive apt install -yq iptables-persistent
```
### [](#2-update-systemd-resolved)2\. Update Systemd-Resolved
The file to change is `/etc/systemd/resolved.conf`. By default it looks like this:
```bash
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#DNSSEC=no
```
We need to change the `DNS` and `Domains` lines - either editing the file by hand, or scripting a replacement with `sed`:
```bash
sudo sed -i 's/#DNS=/DNS=127.0.0.1/g; s/#Domains=/Domains=~consul/g' /etc/systemd/resolved.conf
```
The result of which is the file now reading like this:
```bash
[Resolve]
DNS=127.0.0.1
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Domains=~consul
#LLMNR=yes
#DNSSEC=no
```
By specifying the `Domains` as `~consul`, we are telling resolvd to forward requests for the `consul` TLD to the server specified in the `DNS` line.
### [](#3-configure-resolvconf-too)3\. Configure Resolvconf too
For compatibility with some applications (e.g. `curl` and `ping`), we also need to update `/etc/resolv.conf` to specify our local nameserver. You do this **not** by editing the file directly!
Instead, we need to add `nameserver 127.0.0.1` to `/etc/resolvconf/resolv.conf.d/head`. Again, I will script this, and as we need `sudo` to write to the file, the easiest way is to use `tee` to append the line and then run `resolvconf -u` to apply the change:
```bash
echo "nameserver 127.0.0.1" | sudo tee --append /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u
```
### [](#configure-iptables)Configure iptables
Finally, we need to configure iptables so that when `systemd-resolved` sends a DNS query to localhost on port `53`, it gets redirected to port `8600`. Well do this for both TCP and UDP requests, and then use `netfilter-persistent` to make the rules persistent:
```bash
sudo iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
sudo iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
sudo netfilter-persistent save
```
## [](#verification)Verification
First, we can test that both Consul and Systemd-Resolved return an address for a consul service:
```bash
$ dig @localhost -p 8600 consul.service.consul +short
10.0.2.15
$ dig @localhost consul.service.consul +short
10.0.2.15
```
And now we can try using `curl` to verify that we can resolve consul domains and normal domains still:
```bash
$ curl -s -o /dev/null -w "%{http_code}\n" http://consul.service.consul:8500/ui/
200
$ curl -s -o /dev/null -w "%{http_code}\n" http://google.com
301
```
## [](#end)End
There are also guides available on how to do this on [Hashicorps website](https://learn.hashicorp.com/consul/security-networking/forwarding), covering other DNS resolvers too (such as BIND, Dnsmasq, Unbound).

136
logseq/bak/pages/Scripts/Configuring Consul DNS Forwarding in Ubuntu 16.04/2025-08-02T12_41_20.922Z.android.md Normal file
View File

@@ -0,0 +1,136 @@
---
title: Configuring Consul DNS Forwarding in Ubuntu 16.04
updated: 2021-09-01 13:45:43Z
created: 2021-09-01 13:45:43Z
source: https://andydote.co.uk/2019/05/29/consul-dns-forwarding/
---
## DEPRECATED - This doesnt work properly
[Please see this post for an updated version which works!](https://andydote.co.uk/2019/09/24/consul-ubuntu-dns-revisited/)
* * *
One of the advantages of using [Consul](https://www.consul.io/) for service discovery is that besides an HTTP API, you can also query it by DNS.
The DNS server is listening on port `8600` by default, and you can query both A records or SRV records from it. [SRV](https://en.wikipedia.org/wiki/SRV_record) records are useful as they contain additional properties (`priority`, `weight` and `port`), and you can get multiple records back from a single query, letting you do load balancing client side:
```bash
$ dig @localhost -p 8600 consul.service.consul SRV +short
1 10 8300 vagrant1.node.dc1.consul.
1 14 8300 vagrant2.node.dc1.consul.
2 100 8300 vagrant3.node.dc1.consul.
```
A Records are also useful, as it means we should be able to treat services registered to Consul like any other domain - but it doesnt work:
```bash
$ curl http://consul.service.consul:8500
curl: (6) Could not resolve host: consul.service.consul
```
The reason for this is that the systems built-in DNS resolver doesnt know how to query Consul. We can, however, configure it to forward any `*.consul` requests to Consul.
## [](#solution---forward-dns-queries-to-consul)Solution - Forward DNS queries to Consul
As I usually target Ubuntu based machines, this means configuring `systemd-resolved` to forward to Consul. However, we want to keep Consul listening on its default port (`8600`), and `systemd-resolved` can only forward requests to port `53`, so we need also to configure `iptables` to redirect the requests.
The steps are as follows:
1. Configure `systemd-resolved` to forward `.consul` TLD queries to the local consul agent
2. Configure `iptables` to redirect `53` to `8600`
So lets get to it!
### [](#1-make-iptables-persistent)1\. Make iptables persistent
IPTables configuration changes dont persist through reboots, so the easiest way to solve this is with the `iptables-persistent` package.
Typically I am scripting machines (using \[Packer\] or \[Vagrant\]), so I configure the install to be non-interactive:
```bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive apt install -yq iptables-persistent
```
### [](#2-update-systemd-resolved)2\. Update Systemd-Resolved
The file to change is `/etc/systemd/resolved.conf`. By default it looks like this:
```bash
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#DNSSEC=no
```
We need to change the `DNS` and `Domains` lines - either editing the file by hand, or scripting a replacement with `sed`:
```bash
sudo sed -i 's/#DNS=/DNS=127.0.0.1/g; s/#Domains=/Domains=~consul/g' /etc/systemd/resolved.conf
```
The result of which is the file now reading like this:
```bash
[Resolve]
DNS=127.0.0.1
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Domains=~consul
#LLMNR=yes
#DNSSEC=no
```
By specifying the `Domains` as `~consul`, we are telling resolvd to forward requests for the `consul` TLD to the server specified in the `DNS` line.
### [](#3-configure-resolvconf-too)3\. Configure Resolvconf too
For compatibility with some applications (e.g. `curl` and `ping`), we also need to update `/etc/resolv.conf` to specify our local nameserver. You do this **not** by editing the file directly!
Instead, we need to add `nameserver 127.0.0.1` to `/etc/resolvconf/resolv.conf.d/head`. Again, I will script this, and as we need `sudo` to write to the file, the easiest way is to use `tee` to append the line and then run `resolvconf -u` to apply the change:
```bash
echo "nameserver 127.0.0.1" | sudo tee --append /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u
```
### [](#configure-iptables)Configure iptables
Finally, we need to configure iptables so that when `systemd-resolved` sends a DNS query to localhost on port `53`, it gets redirected to port `8600`. Well do this for both TCP and UDP requests, and then use `netfilter-persistent` to make the rules persistent:
```bash
sudo iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
sudo iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
sudo netfilter-persistent save
```
## [](#verification)Verification
First, we can test that both Consul and Systemd-Resolved return an address for a consul service:
```bash
$ dig @localhost -p 8600 consul.service.consul +short
10.0.2.15
$ dig @localhost consul.service.consul +short
10.0.2.15
```
And now we can try using `curl` to verify that we can resolve consul domains and normal domains still:
```bash
$ curl -s -o /dev/null -w "%{http_code}\n" http://consul.service.consul:8500/ui/
200
$ curl -s -o /dev/null -w "%{http_code}\n" http://google.com
301
```
## [](#end)End
There are also guides available on how to do this on [Hashicorps website](https://learn.hashicorp.com/consul/security-networking/forwarding), covering other DNS resolvers too (such as BIND, Dnsmasq, Unbound).

136
logseq/bak/pages/Scripts/Configuring Consul DNS Forwarding in Ubuntu 16.04/2025-08-03T03_32_39.167Z.android.md Normal file
View File

@@ -0,0 +1,136 @@
---
title: Configuring Consul DNS Forwarding in Ubuntu 16.04
updated: 2021-09-01 13:45:43Z
created: 2021-09-01 13:45:43Z
source: https://andydote.co.uk/2019/05/29/consul-dns-forwarding/
---
## DEPRECATED - This doesnt work properly
[Please see this post for an updated version which works!](https://andydote.co.uk/2019/09/24/consul-ubuntu-dns-revisited/)
* * *
One of the advantages of using [Consul](https://www.consul.io/) for service discovery is that besides an HTTP API, you can also query it by DNS.
The DNS server is listening on port `8600` by default, and you can query both A records or SRV records from it. [SRV](https://en.wikipedia.org/wiki/SRV_record) records are useful as they contain additional properties (`priority`, `weight` and `port`), and you can get multiple records back from a single query, letting you do load balancing client side:
```bash
$ dig @localhost -p 8600 consul.service.consul SRV +short
1 10 8300 vagrant1.node.dc1.consul.
1 14 8300 vagrant2.node.dc1.consul.
2 100 8300 vagrant3.node.dc1.consul.
```
A Records are also useful, as it means we should be able to treat services registered to Consul like any other domain - but it doesnt work:
```bash
$ curl http://consul.service.consul:8500
curl: (6) Could not resolve host: consul.service.consul
```
The reason for this is that the systems built-in DNS resolver doesnt know how to query Consul. We can, however, configure it to forward any `*.consul` requests to Consul.
## [](#solution---forward-dns-queries-to-consul)Solution - Forward DNS queries to Consul
As I usually target Ubuntu based machines, this means configuring `systemd-resolved` to forward to Consul. However, we want to keep Consul listening on its default port (`8600`), and `systemd-resolved` can only forward requests to port `53`, so we need also to configure `iptables` to redirect the requests.
The steps are as follows:
1. Configure `systemd-resolved` to forward `.consul` TLD queries to the local consul agent
2. Configure `iptables` to redirect `53` to `8600`
So lets get to it!
### [](#1-make-iptables-persistent)1\. Make iptables persistent
IPTables configuration changes dont persist through reboots, so the easiest way to solve this is with the `iptables-persistent` package.
Typically I am scripting machines (using \[Packer\] or \[Vagrant\]), so I configure the install to be non-interactive:
```bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive apt install -yq iptables-persistent
```
### [](#2-update-systemd-resolved)2\. Update Systemd-Resolved
The file to change is `/etc/systemd/resolved.conf`. By default it looks like this:
```bash
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#DNSSEC=no
```
We need to change the `DNS` and `Domains` lines - either editing the file by hand, or scripting a replacement with `sed`:
```bash
sudo sed -i 's/#DNS=/DNS=127.0.0.1/g; s/#Domains=/Domains=~consul/g' /etc/systemd/resolved.conf
```
The result of which is the file now reading like this:
```bash
[Resolve]
DNS=127.0.0.1
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Domains=~consul
#LLMNR=yes
#DNSSEC=no
```
By specifying the `Domains` as `~consul`, we are telling resolvd to forward requests for the `consul` TLD to the server specified in the `DNS` line.
### [](#3-configure-resolvconf-too)3\. Configure Resolvconf too
For compatibility with some applications (e.g. `curl` and `ping`), we also need to update `/etc/resolv.conf` to specify our local nameserver. You do this **not** by editing the file directly!
Instead, we need to add `nameserver 127.0.0.1` to `/etc/resolvconf/resolv.conf.d/head`. Again, I will script this, and as we need `sudo` to write to the file, the easiest way is to use `tee` to append the line and then run `resolvconf -u` to apply the change:
```bash
echo "nameserver 127.0.0.1" | sudo tee --append /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u
```
### [](#configure-iptables)Configure iptables
Finally, we need to configure iptables so that when `systemd-resolved` sends a DNS query to localhost on port `53`, it gets redirected to port `8600`. Well do this for both TCP and UDP requests, and then use `netfilter-persistent` to make the rules persistent:
```bash
sudo iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
sudo iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
sudo netfilter-persistent save
```
## [](#verification)Verification
First, we can test that both Consul and Systemd-Resolved return an address for a consul service:
```bash
$ dig @localhost -p 8600 consul.service.consul +short
10.0.2.15
$ dig @localhost consul.service.consul +short
10.0.2.15
```
And now we can try using `curl` to verify that we can resolve consul domains and normal domains still:
```bash
$ curl -s -o /dev/null -w "%{http_code}\n" http://consul.service.consul:8500/ui/
200
$ curl -s -o /dev/null -w "%{http_code}\n" http://google.com
301
```
## [](#end)End
There are also guides available on how to do this on [Hashicorps website](https://learn.hashicorp.com/consul/security-networking/forwarding), covering other DNS resolvers too (such as BIND, Dnsmasq, Unbound).

136
logseq/bak/pages/Scripts/Configuring Consul DNS Forwarding in Ubuntu 16.04/2025-08-03T03_53_36.334Z.android.md Normal file
View File

@@ -0,0 +1,136 @@
---
title: Configuring Consul DNS Forwarding in Ubuntu 16.04
updated: 2021-09-01 13:45:43Z
created: 2021-09-01 13:45:43Z
source: https://andydote.co.uk/2019/05/29/consul-dns-forwarding/
---
## DEPRECATED - This doesnt work properly
[Please see this post for an updated version which works!](https://andydote.co.uk/2019/09/24/consul-ubuntu-dns-revisited/)
* * *
One of the advantages of using [Consul](https://www.consul.io/) for service discovery is that besides an HTTP API, you can also query it by DNS.
The DNS server is listening on port `8600` by default, and you can query both A records or SRV records from it. [SRV](https://en.wikipedia.org/wiki/SRV_record) records are useful as they contain additional properties (`priority`, `weight` and `port`), and you can get multiple records back from a single query, letting you do load balancing client side:
```bash
$ dig @localhost -p 8600 consul.service.consul SRV +short
1 10 8300 vagrant1.node.dc1.consul.
1 14 8300 vagrant2.node.dc1.consul.
2 100 8300 vagrant3.node.dc1.consul.
```
A Records are also useful, as it means we should be able to treat services registered to Consul like any other domain - but it doesnt work:
```bash
$ curl http://consul.service.consul:8500
curl: (6) Could not resolve host: consul.service.consul
```
The reason for this is that the systems built-in DNS resolver doesnt know how to query Consul. We can, however, configure it to forward any `*.consul` requests to Consul.
## [](#solution---forward-dns-queries-to-consul)Solution - Forward DNS queries to Consul
As I usually target Ubuntu based machines, this means configuring `systemd-resolved` to forward to Consul. However, we want to keep Consul listening on its default port (`8600`), and `systemd-resolved` can only forward requests to port `53`, so we need also to configure `iptables` to redirect the requests.
The steps are as follows:
1. Configure `systemd-resolved` to forward `.consul` TLD queries to the local consul agent
2. Configure `iptables` to redirect `53` to `8600`
So lets get to it!
### [](#1-make-iptables-persistent)1\. Make iptables persistent
IPTables configuration changes dont persist through reboots, so the easiest way to solve this is with the `iptables-persistent` package.
Typically I am scripting machines (using \[Packer\] or \[Vagrant\]), so I configure the install to be non-interactive:
```bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive apt install -yq iptables-persistent
```
### [](#2-update-systemd-resolved)2\. Update Systemd-Resolved
The file to change is `/etc/systemd/resolved.conf`. By default it looks like this:
```bash
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#DNSSEC=no
```
We need to change the `DNS` and `Domains` lines - either editing the file by hand, or scripting a replacement with `sed`:
```bash
sudo sed -i 's/#DNS=/DNS=127.0.0.1/g; s/#Domains=/Domains=~consul/g' /etc/systemd/resolved.conf
```
The result of which is the file now reading like this:
```bash
[Resolve]
DNS=127.0.0.1
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Domains=~consul
#LLMNR=yes
#DNSSEC=no
```
By specifying the `Domains` as `~consul`, we are telling resolvd to forward requests for the `consul` TLD to the server specified in the `DNS` line.
### [](#3-configure-resolvconf-too)3\. Configure Resolvconf too
For compatibility with some applications (e.g. `curl` and `ping`), we also need to update `/etc/resolv.conf` to specify our local nameserver. You do this **not** by editing the file directly!
Instead, we need to add `nameserver 127.0.0.1` to `/etc/resolvconf/resolv.conf.d/head`. Again, I will script this, and as we need `sudo` to write to the file, the easiest way is to use `tee` to append the line and then run `resolvconf -u` to apply the change:
```bash
echo "nameserver 127.0.0.1" | sudo tee --append /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u
```
### [](#configure-iptables)Configure iptables
Finally, we need to configure iptables so that when `systemd-resolved` sends a DNS query to localhost on port `53`, it gets redirected to port `8600`. Well do this for both TCP and UDP requests, and then use `netfilter-persistent` to make the rules persistent:
```bash
sudo iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
sudo iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
sudo netfilter-persistent save
```
## [](#verification)Verification
First, we can test that both Consul and Systemd-Resolved return an address for a consul service:
```bash
$ dig @localhost -p 8600 consul.service.consul +short
10.0.2.15
$ dig @localhost consul.service.consul +short
10.0.2.15
```
And now we can try using `curl` to verify that we can resolve consul domains and normal domains still:
```bash
$ curl -s -o /dev/null -w "%{http_code}\n" http://consul.service.consul:8500/ui/
200
$ curl -s -o /dev/null -w "%{http_code}\n" http://google.com
301
```
## [](#end)End
There are also guides available on how to do this on [Hashicorps website](https://learn.hashicorp.com/consul/security-networking/forwarding), covering other DNS resolvers too (such as BIND, Dnsmasq, Unbound).

136
logseq/bak/pages/Scripts/Configuring Consul DNS Forwarding in Ubuntu 16.04/2025-08-12T17_03_40.471Z.android.md Normal file
View File

@@ -0,0 +1,136 @@
---
title: Configuring Consul DNS Forwarding in Ubuntu 16.04
updated: 2021-09-01 13:45:43Z
created: 2021-09-01 13:45:43Z
source: https://andydote.co.uk/2019/05/29/consul-dns-forwarding/
---
## DEPRECATED - This doesnt work properly
[Please see this post for an updated version which works!](https://andydote.co.uk/2019/09/24/consul-ubuntu-dns-revisited/)
* * *
One of the advantages of using [Consul](https://www.consul.io/) for service discovery is that besides an HTTP API, you can also query it by DNS.
The DNS server is listening on port `8600` by default, and you can query both A records or SRV records from it. [SRV](https://en.wikipedia.org/wiki/SRV_record) records are useful as they contain additional properties (`priority`, `weight` and `port`), and you can get multiple records back from a single query, letting you do load balancing client side:
```bash
$ dig @localhost -p 8600 consul.service.consul SRV +short
1 10 8300 vagrant1.node.dc1.consul.
1 14 8300 vagrant2.node.dc1.consul.
2 100 8300 vagrant3.node.dc1.consul.
```
A Records are also useful, as it means we should be able to treat services registered to Consul like any other domain - but it doesnt work:
```bash
$ curl http://consul.service.consul:8500
curl: (6) Could not resolve host: consul.service.consul
```
The reason for this is that the systems built-in DNS resolver doesnt know how to query Consul. We can, however, configure it to forward any `*.consul` requests to Consul.
## [](#solution---forward-dns-queries-to-consul)Solution - Forward DNS queries to Consul
As I usually target Ubuntu based machines, this means configuring `systemd-resolved` to forward to Consul. However, we want to keep Consul listening on its default port (`8600`), and `systemd-resolved` can only forward requests to port `53`, so we need also to configure `iptables` to redirect the requests.
The steps are as follows:
1. Configure `systemd-resolved` to forward `.consul` TLD queries to the local consul agent
2. Configure `iptables` to redirect `53` to `8600`
So lets get to it!
### [](#1-make-iptables-persistent)1\. Make iptables persistent
IPTables configuration changes dont persist through reboots, so the easiest way to solve this is with the `iptables-persistent` package.
Typically I am scripting machines (using \[Packer\] or \[Vagrant\]), so I configure the install to be non-interactive:
```bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | sudo debconf-set-selections
sudo DEBIAN_FRONTEND=noninteractive apt install -yq iptables-persistent
```
### [](#2-update-systemd-resolved)2\. Update Systemd-Resolved
The file to change is `/etc/systemd/resolved.conf`. By default it looks like this:
```bash
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#DNSSEC=no
```
We need to change the `DNS` and `Domains` lines - either editing the file by hand, or scripting a replacement with `sed`:
```bash
sudo sed -i 's/#DNS=/DNS=127.0.0.1/g; s/#Domains=/Domains=~consul/g' /etc/systemd/resolved.conf
```
The result of which is the file now reading like this:
```bash
[Resolve]
DNS=127.0.0.1
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Domains=~consul
#LLMNR=yes
#DNSSEC=no
```
By specifying the `Domains` as `~consul`, we are telling resolvd to forward requests for the `consul` TLD to the server specified in the `DNS` line.
### [](#3-configure-resolvconf-too)3\. Configure Resolvconf too
For compatibility with some applications (e.g. `curl` and `ping`), we also need to update `/etc/resolv.conf` to specify our local nameserver. You do this **not** by editing the file directly!
Instead, we need to add `nameserver 127.0.0.1` to `/etc/resolvconf/resolv.conf.d/head`. Again, I will script this, and as we need `sudo` to write to the file, the easiest way is to use `tee` to append the line and then run `resolvconf -u` to apply the change:
```bash
echo "nameserver 127.0.0.1" | sudo tee --append /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u
```
### [](#configure-iptables)Configure iptables
Finally, we need to configure iptables so that when `systemd-resolved` sends a DNS query to localhost on port `53`, it gets redirected to port `8600`. Well do this for both TCP and UDP requests, and then use `netfilter-persistent` to make the rules persistent:
```bash
sudo iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
sudo iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
sudo netfilter-persistent save
```
## [](#verification)Verification
First, we can test that both Consul and Systemd-Resolved return an address for a consul service:
```bash
$ dig @localhost -p 8600 consul.service.consul +short
10.0.2.15
$ dig @localhost consul.service.consul +short
10.0.2.15
```
And now we can try using `curl` to verify that we can resolve consul domains and normal domains still:
```bash
$ curl -s -o /dev/null -w "%{http_code}\n" http://consul.service.consul:8500/ui/
200
$ curl -s -o /dev/null -w "%{http_code}\n" http://google.com
301
```
## [](#end)End
There are also guides available on how to do this on [Hashicorps website](https://learn.hashicorp.com/consul/security-networking/forwarding), covering other DNS resolvers too (such as BIND, Dnsmasq, Unbound).