Hello all:
I am troubleshooting a DNS lookup against Consul services, specifically for Vault.
My environment:
Consul v1.20.0
Vault 1.18.0
I have a three-node cluster of Nomad, Consul, and Vault. I also forward .consul on my internal DNS servers to the respective Consul endpoints.
My Vault is currently unsealed.
I have noticed that if I perform a DNS query against vault.my-fqdn, I get an NXDOMAIN response.
If I query the consul server directly, I see that vault.service.consul’s results differ from nomad.service.consul or consul.service.consul:
dig @192.168.2.10 -p 8600 vault.service.consul
; <<>> DiG 9.10.6 <<>> @192.168.2.10 -p 8600 vault.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50250
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vault.service.consul. IN A
;; ANSWER SECTION:
vault.service.consul. 0 IN CNAME hostname01.
;; Query time: 39 msec
;; SERVER: 192.168.2.10#8600(192.168.2.10)
;; WHEN: Thu Nov 14 11:55:56 EST 2024
;; MSG SIZE rcvd: 83
dig @192.168.2.10 -p 8600 consul.service.consul
; <<>> DiG 9.10.6 <<>> @192.168.2.10 -p 8600 consul.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4796
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul. IN A
;; ANSWER SECTION:
consul.service.consul. 0 IN A 192.168.11.aa
consul.service.consul. 0 IN A 192.168.11.ab
consul.service.consul. 0 IN A 192.168.11.ac
;; Query time: 41 msec
;; SERVER: 192.168.2.10#8600(192.168.2.10)
;; WHEN: Thu Nov 14 11:57:40 EST 2024
;; MSG SIZE rcvd: 98
Shouldn’t the vault.service.consul query return three results for each node in the cluster?
Is this normal for queries against vault.service.consul?