diff --git a/website/source/docs/guides/forwarding.html.md b/website/source/docs/guides/forwarding.html.md index 99e50981d5..87824a22fc 100644 --- a/website/source/docs/guides/forwarding.html.md +++ b/website/source/docs/guides/forwarding.html.md @@ -16,7 +16,8 @@ running on an unprivileged port, from another DNS server or port redirect. In this guide, we will demonstrate forwarding from [BIND](https://www.isc.org/downloads/bind/) as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html), -[Unbound](https://www.unbound.net/), and [iptables](http://www.netfilter.org/). +[Unbound](https://www.unbound.net/), +[systemd-resolved](https://www.freedesktop.org/wiki/Software/systemd/resolved/), and [iptables](http://www.netfilter.org/). For the sake of simplicity, BIND and Consul are running on the same machine in this example. For iptables the rules must be set on the same host as the Consul instance and relay hosts should not be on the same host or the redirects will @@ -155,6 +156,32 @@ You may have to add the following line to the bottom of your include: "/etc/unbound/unbound.conf.d/*.conf" ``` +### systemd-resolved Setup + +`systemd-resolved` is typically configured with `/etc/systemd/resolved.conf`. +To configure systemd-resolved to send queries for the consul domain to +Consul, configure resolved.conf to contain the following: + +``` +DNS=127.0.0.1 +Domains=~consul +``` + +The main limitation with this configuration is that the DNS field +cannot contain ports. So for this to work either Consul must be +[configured to listen on port 53](https://www.consul.io/docs/agent/options.html#dns_port) +instead of 8600 or you can use iptables to map port 53 to 8600. +The following iptables commands are sufficient to do the port +mapping. + +``` +[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 +[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 +``` + +Note: With this setup, PTR record queries will still be sent out +to the other configured resolvers in addition to Consul. + ### iptables Setup On Linux systems that support it, incoming requests and requests to