Consul DNS forwarding doesn't work

Are you planning to support consul DNS forwarding in Hashicorp products?
Spent so much time to set this up, but it just don’t work in a single product.
Example with Vault

➜  ~ vault login
Token (will be hidden):
Error authenticating: error looking up token: Get "http://vault.service.consul:8200/v1/auth/token/lookup-self": dial tcp: lookup vault.service.consul on no such host

➜  ~ curl http://vault.service.consul:8200
<a href="/ui/">Temporary Redirect</a>.

There’s an open issue for more than a year

also tutorial makes confusion showing example with consul DNS

Your post is rather confusing. You are complaining about “Consul DNS forwarding”, and then you show an error message that shows you asking Google’s public DNS server about your internal infrastructure. Of course Google’s public DNS doesn’t know about your internal Consul.

There is a small hint as to what you might actually want, in that the issue you link to comprehensively discusses a somewhat related problem - and that issue has recent discussion, including an estimated fix timeline.

If you can further explain what information you are looking for beyond what’s already in the issue, and what network and DNS environment you are operation in, people on this forum might be able to help, but from what you have said so far, it’s difficult to do anything more than point to the issue.

I configured Consul DNS Forwarding, and I can make requests to address “vault.consul.service” via curl (as shown above) and via browser.
If I set VAULT_ADDR=http://vault.service.consul:8200 it throws an error about Google DNS. But it is expected to work like curl or web browser.

Am I misunderstanding how it has to work?

How did you configure “Consul DNS Forwarding”? A quick Google does not show any official page in the top hits that defines that term in detail, so I assume you mean it as some general description of a setup you designed.

That page provides six different sets of instructions for different DNS servers… Care to clarify which applies to you?

Oh, I’m sorry. I use MacOS, so I used instructions for MacOS.

➜  ~ cat /etc/resolver/consul
port 8600

Right - and the meaning of the issue that you linked to is that due to the compilation options currently used to compile Vault, it is not capable of making use of that configuration style.

But, as you can see, there is optimism in the issue that Vault 1.13.1 may deliver a fix.

1 Like

Read the issue one more time, sorry for wasting your time and thanks for support!

Just curious, if I set public DNS address without VPN, would it work?

Bearing in mind that I’ve never actually worked with OS X, and am just extrapolating from Linux behaviours here, what I think is happening is just that the parts of the Go standard library built in to Vault, are reading /etc/resolv.conf, and sending DNS queries direct to whatever nameserver is listed there.

So, the only way that’s going to work, is if that nameserver is Consul, or is itself set up to forward the .consul domain.

However… it looks like Go 1.20 has substantially re-engineered how it does DNS on OS X to fix the issue. Therefore, I think your best short term option is to just compile Vault 1.12.3 with Go 1.20, which I think should then just work - or if you can wait a few weeks, I think Vault 1.13 should be out, built with Go 1.20 for the official builds.

1 Like

Thanks for the support!