As defined in the documentation …
Consul's DNS interface is also affected by restrictions on node rules. If the acl.token.default used by the agent does not have "read" access to a given node, then the DNS interface will return no records when queried for it.
So I changed on my consul cluster this parameter with the appropriate policy.
It is working correctly for DNS.
However the UI is open in readonly mode. Is-it possible to restrict the usage of UI by ACL but to keep the DNS working ?
When I changed the ACL policies, the web UI was asking for a token but the DNS didn’t work anymore.