Consul: DNS Lookup in Consul Server version 0.8x

Created on 8 May 2017  路  5Comments  路  Source: hashicorp/consul

Hi, I am upgrading Consul from version 0.7 to 0.8.1, before I could query consul.service.consul via DNS in Consul Server configured ACL. But after update to version 0.8, DNS lookup in Consul server requires permission. 

2017/05/08 00:14:13 [DEBUG] dns: request for {consul.service.consul.spvn.local. 28 1} (udp) (999.8碌s) from client 127.0.
0.1:52261 (udp)
2017/05/08 00:14:13 [DEBUG] consul: dropping node "agent-124" from result due to ACLs
2017/05/08 00:14:13 [DEBUG] consul: dropping node "agent-248" from result due to ACLs

nslookup consul.service.consul 127.0.0.1
localhost can't find consul.service.consul: Non-existent domain

But after I disable ACL, I can get result from DNS

nslookup consul.service.consul 127.0.0.1
Server:  localhost
Address:  127.0.0.1

Name:    consul.service.consul
Address:  10.70.70.248

Release note: Fixed an issue where the service name consul was not subject to service ACL policies with version 8 ACLs enabled

Please tell me how to resolve it.

typdocs
Source
picture huyjack178

Most helpful comment

Hi @huyjack178 the new node policy is filtering these - you'll want to give your anonymous token "read" access - https://www.consul.io/docs/guides/acl.html#node-rules.

I tagged this docs so we remember to add an example for DNS - that needs its own section in the ACL guide.

picture slackpad on 8 May 2017
👍6

All 5 comments

Hi @huyjack178 the new node policy is filtering these - you'll want to give your anonymous token "read" access - https://www.consul.io/docs/guides/acl.html#node-rules.

I tagged this docs so we remember to add an example for DNS - that needs its own section in the ACL guide.

slackpad picture slackpad on 8 May 2017
👍6

@slackpad But according to Release note, consul.service.consul can not be query via DNS anymore, can it?

huyjack178 picture huyjack178 on 9 May 2017

@huyjack178 it can if you also give "read" access to the anonymous token for the "consul" service. There's just no special exception for the "consul" service any more.

$ curl \
    --request PUT \
    --data \
'{
  "ID": "anonymous",
  "Type": "client",
  "Rules": "node \"\" { policy = \"read\" } service \"consul\" { policy = \"read\" }"
}' https://consul.rocks/v1/acl/create?token=<management token>
slackpad picture slackpad on 9 May 2017
👍2

@slackpad thank you, it works :D

huyjack178 picture huyjack178 on 9 May 2017

Details about this are included in the Consul ACL Learn docs: https://learn.hashicorp.com/consul/security-networking/production-acls#token-for-dns

ChipV223 picture ChipV223 on 9 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

powerman picture powerman  路  3Comments
slackpad picture slackpad  路  3Comments
achille-roussel picture achille-roussel  路  4Comments
wing731 picture wing731  路  3Comments
eshujiushiwo picture eshujiushiwo  路  3Comments