Skip to content
/ consul-dns Public

[WIP] Authoritative DNS server that plug into consul

License

MIT license
5 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ennetech/consul-dns

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
cmd/consul-dns
cmd/consul-dns
 
 
docs
docs
 
 
pkg
pkg
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

consul-dns

Authoritative DNS server that plug into consul

DNS shouldn't be hard, as a former sysadmin i like the convenience of RFC1035 zone files (eg.: the ones bind9 uses), so the base idea is use the standards that are already in place.

Go is the choosen language, principally for this fantastic dns libray

In addition, supporting RFC2136+RFC2845 make the the system pluggable to terraform or old school nsupdate

NOTE: I am still new to go and i need some time to figure some things out.

Usage

  1. Install default policy for anonymous token on consul ACL (to allow dns queries)
node "" {
  policy = "read"
}

service "" {
  policy = "read"
}

  1. Clone the repo in you gopath

  2. Install dependencies

go get ./...
  1. Build the binary
go build cmd/consul-dns/main.go
  1. Run ./consul-dns -c config.json

Example config:

{
  "ConsulConfig": {
    "AuthToken": "anonymous",
    "HttpAddress": "http://127.0.0.1:8500",
    "DnsAddress": "127.0.0.1:8600"
  },
  "SystemConfig": {
    "DnsPort": "53",
    "HttpPort": "4367",
    "TsigKey": ""
  }
}

You can also use env variables.

  1. Add your bind zone files under a "dns" folder in consul KV, remember to name the sub-keys in fqdn format (eg.: with the dot at the end)

Docker

docker run -p 53:53/tcp -p 53:53/udp \
            -p 4367:4367 \
            -e CONSUL_HTTP_TOKEN=anonymous \
            -e CONSUL_HTTP_ADDR=http://127.0.0.1:8500 \
            -e CONSUL_DNS_ADDR=127.0.0.1:8600 \
            -e CONSULDNS_DNS_PORT=53 \
            -e CONSULDNS_HTTP_PORT=4367 \
            -e CONSULDNS_TSIG_KEY="my-tsig-key" \
            ennetech/consul-dns

Modules description

QUERY (3 scenarios)

  1. The tld is .consul

    The request is proxied as-is to the DNS interface of consul

  2. The request contains .node. or .service.

    The request is masquerated as .consul TLD, sent to consul DNS interface and the responses are converted to original TLD

  3. The requested zone (or a higher one) is present in the K/V The zone is parsed and if a matching record is found (or a wildcard) it's returned in the resposes (CNAME also resolves the associated A record to the google servers)

UPDATE

  1. If the domain has a tsig keys, verify it
  2. Update the zone accordingly

Feature list

Name Status Module
Query masquerading alpha,untested QUERY
RFC1035 zone parsing from consul K/V alpha,untested QUERY
RFC2136 zone update alpha,untested UPDATE
RFC2845 tsig verification alpha,untested UPDATE
DDNS like update todo REST
TSIG key generation alpha,untested REST
query caching todo --
zone formatter todo --
phrometeus metrics todo --

Visual rappresentation

consul-dns diagram

About

[WIP] Authoritative DNS server that plug into consul

Resources

Readme

License

MIT license
Activity

Stars

5 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages