DNS Lookups on consul.service.consul when ACL set to deny?

I have setup a 3 node consul cluster with ACL set to deny.
Now I’m trying to figure out how to allow me do (anonymous) dns lookups on the whole consul cluster to get a list of A records with all available nodes.

For instance these…

consul acl policy create -name ‘service-consul-read’ -rules ‘service “consul” { policy = “read” }’

consul acl token update -id 00000000-0000-0000-0000-000000000002 --merge-policies -description “Anonymous Token - Can List Nodes” -policy-name service-consul-read

consul acl policy create -name ‘list-all-nodes’ -rules ‘node_prefix “” { policy = “read” }’

consul acl token update -id 00000000-0000-0000-0000-000000000002 -policy-name list-all-nodes -description “Anonymous Token - Can List Nodes”

Allow me to todo lookup on all nodes individually:

dig consul-server01.node.dc01.consul +short
dig consul-server02.node.dc01.consul +short
dig consul-server03.node.dc01.consul +short

When querying for all available nodes at once, I’m just getting NXDOMAIN:

dig consul.service.consul

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> consul.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46761
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;consul.service.consul. IN A

consul. 0 IN SOA ns.consul. hostmaster.consul. 1579877061 3600 600 86400 0

What did I miss from the configuration?
Works fine when ACL is set to allow.

Thanks! :slight_smile:

Also, when I go to the UI and use the anonymous token, then go to the Service page and click on “consul”, I’m getting:

404 (Not found)

“Consul returned an error. You may have visited a URL that is loading an unknown resource, so you can try going back to the root or try re-submitting your ACL Token/SecretID by going back to ACLs.
Try looking in our documentation

So something-something ACL is in play here…

Is your token configured as the default token for the agent?
From the docs:
“Consul’s DNS interface is affected by restrictions on service rules. If the acl.tokens.default used by the agent does not have “read” access to a given service, then the DNS interface will return no records when queried for it.”

1 Like

Thanks, you are the king! :smile:
I redid some ACL rules and simplified it and made sure I used that default token as well, and it seems that it did the trick! :slight_smile:

1 Like