2014-04-08 23:56:26 -04:00
---
layout: "docs"
page_title: "Forwarding"
sidebar_current: "docs-guides-forwarding"
2014-10-19 19:40:10 -04:00
description: |-
2015-02-26 13:34:45 -05:00
By default, DNS is served from port 53. On most operating systems, this requires elevated privileges. Instead of running Consul with an administrative or root account, it is possible to instead forward appropriate queries to Consul, running on an unprivileged port, from another DNS server.
2014-04-08 23:56:26 -04:00
---
2014-04-09 11:40:52 -07:00
# Forwarding DNS
2014-04-08 23:56:26 -04:00
2015-02-26 13:34:45 -05:00
By default, DNS is served from port 53. On most operating systems, this
requires elevated privileges. Instead of running Consul with an administrative
or root account, it is possible to instead forward appropriate queries to Consul,
running on an unprivileged port, from another DNS server.
2014-04-08 23:56:26 -04:00
2015-08-28 18:10:37 -07:00
In this guide, we will demonstrate forwarding from [BIND ](https://www.isc.org/downloads/bind/ ),
as well as [dnsmasq ](http://www.thekelleys.org.uk/dnsmasq/doc.html ).
2015-02-26 13:34:45 -05:00
For the sake of simplicity, BIND and Consul are running on the same machine in this example,
but this is not required.
2014-04-08 23:56:26 -04:00
2015-08-28 18:27:26 -07:00
It is worth mentioning that, by default, consul does not resolve DNS
records outside the `.consul.` zone, unless the
[recursors ](/docs/agent/options.html#recursors ) configuration option
has been set. An example of how this changes consul's behavior is:
When a consul DNS reply includes a CNAME record pointing outside
`.consul.` the DNS reply includes only CNAME records.
Contrastingly, when `recursors` is set and the upstream resolver is
functioning correctly, consul will try to resolve CNAMEs and include
any A/PTR records for them in its DNS reply.
2015-08-28 18:10:37 -07:00
2015-02-26 13:34:45 -05:00
### BIND Setup
2014-04-08 23:56:26 -04:00
2015-02-26 13:34:45 -05:00
First, you have to disable DNSSEC so that Consul and BIND can communicate.
Here is an example of such a configuration:
2014-04-08 23:56:26 -04:00
2014-10-19 19:40:10 -04:00
```text
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
2014-04-08 23:56:26 -04:00
2014-10-19 19:40:10 -04:00
dnssec-enable no;
dnssec-validation no;
2014-04-08 23:56:26 -04:00
2014-10-19 19:40:10 -04:00
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
2014-04-08 23:56:26 -04:00
2014-10-19 19:40:10 -04:00
managed-keys-directory "/var/named/dynamic";
};
2014-04-08 23:56:26 -04:00
2014-10-19 19:40:10 -04:00
include "/etc/named/consul.conf";
```
2014-04-08 23:56:26 -04:00
2014-04-09 14:08:32 -04:00
### Zone File
2014-04-08 23:56:26 -04:00
Then we set up a zone for our Consul managed records in consul.conf:
2014-10-19 19:40:10 -04:00
```text
zone "consul" IN {
type forward;
forward only;
forwarders { 127.0.0.1 port 8600; };
};
```
2014-04-08 23:56:26 -04:00
2015-02-26 13:34:45 -05:00
Here we assume Consul is running with default settings and is serving
2014-04-09 11:40:52 -07:00
DNS on port 8600.
2014-04-08 23:56:26 -04:00
2015-08-28 18:10:37 -07:00
### Dnsmasq
Add the following to your config. Typically `/etc/dnsmasq.d/` is enabled which should allow creation of a file `/etc/dnsmasq.d/10-consul` :
```text
server=/consul/127.0.0.1#8600
```
restart the dnsmasq process after making configuration changes.
2014-04-09 14:08:32 -04:00
### Testing
First, perform a DNS query against Consul directly to be sure that the record exists:
2014-10-19 19:40:10 -04:00
```text
[root@localhost ~]# dig @localhost -p 8600 master.redis.service.dc-1.consul. A
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
; << >> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 << >> @localhost master.redis.service.dc-1.consul. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< < - opcode: QUERY , status: NOERROR , id: 11536
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
;; QUESTION SECTION:
;master.redis.service.dc-1.consul. IN A
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
;; ANSWER SECTION:
master.redis.service.dc-1.consul. 0 IN A 172.31.3.234
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53 (127.0.0.1)
;; WHEN: Wed Apr 9 17:36:12 2014
;; MSG SIZE rcvd: 76
```
2014-04-09 14:08:32 -04:00
2015-02-26 13:34:45 -05:00
Then run the same query against your BIND instance and make sure you get a result:
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
```text
[root@localhost ~]# dig @localhost -p 53 master.redis.service.dc-1.consul. A
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
; << >> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 << >> @localhost master.redis.service.dc-1.consul. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< < - opcode: QUERY , status: NOERROR , id: 11536
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
;; QUESTION SECTION:
;master.redis.service.dc-1.consul. IN A
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
;; ANSWER SECTION:
master.redis.service.dc-1.consul. 0 IN A 172.31.3.234
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53 (127.0.0.1)
;; WHEN: Wed Apr 9 17:36:12 2014
;; MSG SIZE rcvd: 76
```
2014-04-09 14:08:32 -04:00
### Troubleshooting
2015-02-26 13:34:45 -05:00
If you don't get an answer from BIND but you do get an answer from Consul, your
best bet is to turn on BIND's query log to see what's happening:
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
```text
[root@localhost ~]# rndc querylog
[root@localhost ~]# tail -f /var/log/messages
```
2014-04-09 14:08:32 -04:00
2015-02-26 13:34:45 -05:00
The log may show errors like this:
2014-04-09 14:08:32 -04:00
2014-10-19 19:40:10 -04:00
```text
error (no valid RRSIG) resolving
error (no valid DS) resolving
```
2014-04-08 23:56:26 -04:00
2015-02-26 13:34:45 -05:00
This indicates that DNSSEC is not disabled properly.
If you see errors about network connections, verify that there are no firewall
or routing problems between the servers running BIND and Consul.