Access consul DNS from outside consul (dnsmasq) with default ACL policy deny

I would like to use the FQDN of the consul nodes for various services unrelated to consul. A random example is when initialising kubernetes and connecting to the etcd cluster, which I’d like to do it using the DNS names instead of the IPs.

I guess the point is that whatever software it’s connecting to Consul is supposed to understand how Consul works. In my case it all (or most of it) goes down to dnsmasq, which redirects requests for company.internal to the consul internal DNS service (on port 8600).

So what I’m looking for is a suggestion of how I can achieve reaching these nodes using the FQDN (node-name.node.domain) or what are the ‘usual’ setups for that. I guess I don’t have the right overview.

We created a “dns-lookup” policy in Consul and attached it to the anonymous token.


node_prefix "" {
  policy = "read"
service_prefix "" {
  policy = "read"
consul acl policy create -name dns-lookup -rules @dns-policy.hcl
consul acl token update -id anonymous -policy-name=dns-lookup

You should now be able to make anonymous dns queries.

1 Like

There must be something I’m missing, it still doesn’t work, except for the node itself (dig A omni-consul-0.node.comp.internal @ -p 8600) where I’m running the query (weirdly enough), but this works independently of the anonymous policy.

So I’ve done the following on “omni-consul-0”:

root@omni-consul-0:~# consul acl policy create -name dns-lookup -rules @node-dns.hcl
ID:           d1928b24-f316-bf80-c7ad-fce4311077fc
Name:         dns-lookup
node_prefix "" {
  policy = "read"

service_prefix "" {
  policy = "read"

and then:

root@omni-consul-0:~# consul acl token update -id anonymous -policy-name=dns-lookup
Use the -accessor-id parameter to specify token by Accessor ID
AccessorID:       00000000-0000-0000-0000-000000000002
SecretID:         anonymous
Description:      Anonymous Token
Local:            false
Create Time:      2023-03-11 00:45:04.511621809 +0000 UTC
   d1928b24-f316-bf80-c7ad-fce4311077fc - dns-lookup

Running dig directly on port 8600 for a different node than “omni-consul-0” still returns nothing.

root@omni-consul-0:~# dig A omni-consul-1.node.comp.internal @ -p 8600 +short

The second I change ‘deny’ to ‘allow’ (it’s enough to do it only on the server node I’m running the query on, even if there are 3 servers nodes in total), dig works:

root@omni-consul-0:~# dig A omni-consul-1.node.comp.internal @ -p 8600 +short

Any ideas as to what I might be doing wrong?

Ok, I’ve eventually figured it out also with the help of this thread: DNS Lookups on consul.service.consul when ACL set to deny? - #2 by telefax

What I was doing wrong was that I had a default token configured in the consul configuration file:

acl = {
        enabled = true
        default_policy = "deny"
        enable_token_persistence = true
        down_policy = "extend-cache"
        tokens = {
                default = "bd320011-d490-c54b-c3f9-bc01736d98d6"
                agent = "bd320011-d490-c54b-c3f9-bc01736d98d6"

When commenting this out, it’s started working.
Thanks for the tip! :slight_smile:

1 Like