Services and nodes do not resolve in DNS queries

I have been working on registering new services in Consul for the purpose of DNS lookup in our existing consul cluster, but I am having some issues. I am able to query for nodes and I get a valid response, but querying for registered services does not return an A record. I decided to create a new temporary three server node cluster for testing and I have a fourth node that is a client. All nodes show up as healthy. If I connect to one of the server nodes in the new cluster and run ‘dig @127.0.0.1 -p 8600 v1-qa04.node.us-east-1-qa.consul’ I get a reply, but no answer section.


I have also registered a service that also shows up with a healthy node check (no service check defined) but I also fail to get a valid response to my DNS query for testservice.service.us-east-1-qa.consul. One thing I should note is that all of the nodes in the new test cluster are using the same master token to hopefully eliminate any ACL issues.
I’m not sure what to look for or try next here. Any ideas would be appreciated.

Hi @lewisgaines,

One thing I should note is that all of the nodes in the new test cluster are using the same master token to hopefully eliminate any ACL issues.
I’m not sure what to look for or try next here. Any ideas would be appreciated.

Are you setting this as the default token on each of the agents? This token will be used for requests against the DNS interface, or when a token is not provided in an HTTP request.

If default is not defined, then the anonymous token will be used when querying servers. You can alternatively check whether that token has the correct permissions to lookup nodes and services within the environment.

Here’s an example of how you can verify those permissions.

❯ consul acl token read -id=00000000-0000-0000-0000-000000000002
AccessorID:       00000000-0000-0000-0000-000000000002
SecretID:         anonymous
Description:
Local:            false
Create Time:      2020-05-13 01:12:38.623377425 +0000 UTC
Policies:
   07182345-38ad-54af-3195-1b33c9ebcff5 - anonymous-token-policy

❯ consul acl policy read -name=anonymous-token-policy
ID:           07182345-38ad-54af-3195-1b33c9ebcff5
Name:         anonymous-token-policy
Description:  Anonymous token Policy
Datacenters:
Rules:

  node_prefix "" {
     policy = "read"
  }
  service_prefix "" {
     policy = "read"
  }