From f142d4ab04c0048090f75491f2d647102f89a984 Mon Sep 17 00:00:00 2001 From: fusiondog Date: Thu, 28 Apr 2016 23:27:28 -0700 Subject: [PATCH 1/4] DNS forwarding with iptables Adding notes on using iptables to forward ports --- .../source/docs/guides/forwarding.html.markdown | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/website/source/docs/guides/forwarding.html.markdown b/website/source/docs/guides/forwarding.html.markdown index 691cc961a1..c4cdd7bf95 100644 --- a/website/source/docs/guides/forwarding.html.markdown +++ b/website/source/docs/guides/forwarding.html.markdown @@ -14,9 +14,9 @@ or root account, it is possible to instead forward appropriate queries to Consul running on an unprivileged port, from another DNS server. In this guide, we will demonstrate forwarding from [BIND](https://www.isc.org/downloads/bind/) -as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). +as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) and [iptables](http://www.netfilter.org/). For the sake of simplicity, BIND and Consul are running on the same machine in this example, -but this is not required. +but this is only required for iptables. It is worth mentioning that, by default, Consul does not resolve DNS records outside the `.consul.` zone unless the @@ -126,6 +126,18 @@ for additional details): #cache-size=65536 ``` +### iptables Setup + +On Linux systems that support it, incoming requests and requests to localhost can use iptables +to forward ports on the same machine without a secondary service. + +``` +iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 +iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 +iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 +iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 +``` + ### Testing First, perform a DNS query against Consul directly to be sure that the record exists: From b5751901da44a893bb7618bf68286903c585596f Mon Sep 17 00:00:00 2001 From: fusiondog Date: Fri, 29 Apr 2016 16:45:59 -0700 Subject: [PATCH 2/4] Clarify need for recursors option. Reiterating that the iptables option requires recursors to be set to resolve for any domain besides .consul --- .../docs/guides/forwarding.html.markdown | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/website/source/docs/guides/forwarding.html.markdown b/website/source/docs/guides/forwarding.html.markdown index c4cdd7bf95..dc4444b187 100644 --- a/website/source/docs/guides/forwarding.html.markdown +++ b/website/source/docs/guides/forwarding.html.markdown @@ -3,7 +3,7 @@ layout: "docs" page_title: "Forwarding" sidebar_current: "docs-guides-forwarding" description: |- - By default, DNS is served from port 53. On most operating systems, this requires elevated privileges. Instead of running Consul with an administrative or root account, it is possible to instead forward appropriate queries to Consul, running on an unprivileged port, from another DNS server. + By default, DNS is served from port 53. On most operating systems, this requires elevated privileges. Instead of running Consul with an administrative or root account, it is possible to instead forward appropriate queries to Consul, running on an unprivileged port, from another DNS server or port redirect. --- # Forwarding DNS @@ -26,7 +26,7 @@ suppose a Consul DNS reply includes a CNAME record pointing outside the `.consul` TLD. The DNS reply will only include CNAME records by default. By contrast, when `recursors` is set and the upstream resolver is functioning correctly, Consul will try to resolve CNAMEs and include -any records (e.g. A, AAAA, PTR) for them in its DNS reply. +any records (e.g. A, AAAA, PTR) for them in its DNS reply. You can either do one of the following: @@ -128,14 +128,16 @@ for additional details): ### iptables Setup -On Linux systems that support it, incoming requests and requests to localhost can use iptables -to forward ports on the same machine without a secondary service. +On Linux systems that support it, incoming requests and requests to localhost can use `iptables` +to forward ports on the same machine without a secondary service. Since Consul, by default, only +resolves the `.consul` TDL, it is especially important to use the `recursors` option if you wish the +`iptables` setup to resolve for other domains. ``` -iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 -iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 -iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 -iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 +[root@localhost ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 +[root@localhost ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 +[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 +[root@localhost ~]# iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 ``` ### Testing From 62dc83ce9ce3b1c63c32db602a83aeb95b843834 Mon Sep 17 00:00:00 2001 From: fusiondog Date: Thu, 9 Jun 2016 14:29:54 -0700 Subject: [PATCH 3/4] Adding more detail about best use case. --- .../source/docs/guides/forwarding.html.markdown | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/website/source/docs/guides/forwarding.html.markdown b/website/source/docs/guides/forwarding.html.markdown index dc4444b187..32b29a9794 100644 --- a/website/source/docs/guides/forwarding.html.markdown +++ b/website/source/docs/guides/forwarding.html.markdown @@ -11,12 +11,13 @@ description: |- By default, DNS is served from port 53. On most operating systems, this requires elevated privileges. Instead of running Consul with an administrative or root account, it is possible to instead forward appropriate queries to Consul, -running on an unprivileged port, from another DNS server. +running on an unprivileged port, from another DNS server or port redirect. In this guide, we will demonstrate forwarding from [BIND](https://www.isc.org/downloads/bind/) as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) and [iptables](http://www.netfilter.org/). -For the sake of simplicity, BIND and Consul are running on the same machine in this example, -but this is only required for iptables. +For the sake of simplicity, BIND and Consul are running on the same machine in this example. For iptables the +rules must be set on the same host as the Consul instance and relay hosts should not be on the same host or +the redirects will intercept the traffic. It is worth mentioning that, by default, Consul does not resolve DNS records outside the `.consul.` zone unless the @@ -131,7 +132,12 @@ for additional details): On Linux systems that support it, incoming requests and requests to localhost can use `iptables` to forward ports on the same machine without a secondary service. Since Consul, by default, only resolves the `.consul` TDL, it is especially important to use the `recursors` option if you wish the -`iptables` setup to resolve for other domains. +`iptables` setup to resolve for other domains. The recursors should not include the localhost as the +redirects would just intercept the requests. The iptables method is suited for situations where an +external DNS service is already running in your infrastructure is used as the recursor or if you want +to use an existing DNS server as your query endpoint and forward requests for the consul domain to the +consul server. In both of those cases you may want to query the consul server but not need the overhead +of a separate service on the consul host. ``` [root@localhost ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 From 0334039ceac77eef308ddf4616da81c41a41ee1c Mon Sep 17 00:00:00 2001 From: fusiondog Date: Thu, 9 Jun 2016 17:05:00 -0700 Subject: [PATCH 4/4] Added an and --- website/source/docs/guides/forwarding.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/guides/forwarding.html.markdown b/website/source/docs/guides/forwarding.html.markdown index 32b29a9794..88e7dc7eae 100644 --- a/website/source/docs/guides/forwarding.html.markdown +++ b/website/source/docs/guides/forwarding.html.markdown @@ -134,7 +134,7 @@ to forward ports on the same machine without a secondary service. Since Consul, resolves the `.consul` TDL, it is especially important to use the `recursors` option if you wish the `iptables` setup to resolve for other domains. The recursors should not include the localhost as the redirects would just intercept the requests. The iptables method is suited for situations where an -external DNS service is already running in your infrastructure is used as the recursor or if you want +external DNS service is already running in your infrastructure and is used as the recursor or if you want to use an existing DNS server as your query endpoint and forward requests for the consul domain to the consul server. In both of those cases you may want to query the consul server but not need the overhead of a separate service on the consul host.