Empty answer section in dns query

Consul
,
1

I’m trying to make dns requests to registered services, but I can’t get the ANSWER section

consul --version
Consul v1.16.0

I also added policies for the acl token.

  node_prefix "" {
     policy = "read"
  }
  service_prefix "" {
     policy = "read"
  }

domain = "consul"
"node_name" = "consul"
"server"    = true
"bootstrap" = true
ui_config {
  enabled = true
}

"datacenter"         = "dc1"
"data_dir"           = "/var/consul"
"log_level"          = "INFO"
"enable_syslog"      = true

"rejoin_after_leave" = true
"leave_on_terminate" = true

bind_addr      = "0.0.0.0"
advertise_addr = "192.168.10.232"
client_addr    = "0.0.0.0"

addresses = {
  dns   = "127.0.0.1"
  https = "0.0.0.0"
  grpc  = "127.0.0.1"
  http  = "127.0.0.1"
}

ports {
  http  = -1
  https = 8501
  grpc_tls  = 8503
}

connect {
  enabled = true
}

encrypt = "bItnz/JIpoKLasZTOZWSFQRo+4f1nwUGdoVwLLMTumw="

tls {
  defaults {
    verify_incoming        = false
    verify_outgoing        = true
    ca_file                = "/etc/consul_certs/consul-ca.pem"
    cert_file              = "/etc/consul_certs/consul.pem"
    key_file               = "/etc/consul_certs/consul-key.pem"
  }
  internal_rpc {
    verify_server_hostname = true
  }
}

auto_encrypt {
  allow_tls = true
}

acl = {
  enabled                  = true
  default_policy           = "deny"
  #enable_token_persistence = true
  down_policy              = "extend-cache"

  tokens {
    agent = "56c7x0a9-0x22-e1f4-1fxa-40ez2b6e1153"
  }
}

limits {
  http_max_conns_per_client = 2000
}

Node    Address              Status  Type    Build   Protocol  DC   Partition  Segment
consul  192.168.95.111:8301  alive   server  1.16.0  2         dc1  default    <all>


consul catalog services
consul
vault
fs
lb

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -p 8600 consul.service.consul.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10195
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul.         IN      A

;; AUTHORITY SECTION:
consul.                 0       IN      SOA     ns.consul. hostmaster.consul. 1701966051 3600 600 86400 0


dig @127.0.0.1 -p 8600 lb.service.dc1.consul.

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -p 8600 lb.service.dc1.consul.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21314
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lb.service.dc1.consul.         IN      A

;; AUTHORITY SECTION:
consul.                 0       IN      SOA     ns.consul. hostmaster.consul. 1701966199 3600 600 86400 0

consul catalog nodes
Node    ID        Address         DC
consul  e210fc56  192.168.95.111  dc1


dig @127.0.0.1 -p 8600 consul.node.dc1.consul.

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -p 8600 consul.node.dc1.consul.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56590
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.node.dc1.consul.                IN      A

;; AUTHORITY SECTION:
consul.                 0       IN      SOA     ns.consul. hostmaster.consul. 1701966482 3600 600 86400 0

What did I do wrong?

2

On Consul 1.16, Consul agents use their configured acl.tokens.default token [docs] to respond to DNS queries. You created a token with the necessary permissions for DNS, but set it for acl.tokens.agent instead.

Additionally, you’ll need to set acl.tokens.agent to a token with node:write permissions on that node’s name. For more info on this, refer to “Create an agent token”.

2 Likes