Using Consul DNS behind OpnSense (Unbound) with PowerDNS

Hey folks!

Currently working on getting myself a home lab setup with HashiCorp’s Consul, Nomad and Vault. Looking to make Consul’s DNS become integrated into my existing network without having to modify all my clients to be aware of things.

My Setup

My network looks a little like this:

  • OpnSense running Unbound
    • Unbound has the following entries for upstream DNS:

The is an instance with the following running:

  • PowerDNS rescursor - Port 53
  • PowerDNS Authoritative - Port 8053
  • Consul agent with DNS available on port 8600

Why PowerDNS

I’m looking at using PowerDNS because it allows me to control DNS entries with Terraform, which I’ll combine with deploying Nomad jobs to make apps accessible over pretty URLs (ie net) inside my home network.

Still Learning

I’m not saying this is what I’ve found to be the best way to do this, I’m sure there are different ways of handling this, I’m open to suggestions so long as managing the DNS records is still possible via Terraform.

My Desired Results

If I run the following:

dig ANY

This would be calling Unbound

I’d expect to see both a CNAME and an A record. Like so:

;; ANSWER SECTION:    303     IN      CNAME 0 IN    A

CNAME is coming from PowerDNS and the A record is coming from Consul resolving the CNAME.

What’s Currently Happening

When I do:

dig ANY

I’m only getting the CNAME record.

;; ANSWER SECTION:    303     IN      CNAME

However, if I query directly:

dig @ ANY


;; ANSWER SECTION:    303     IN      CNAME 0 IN    A

Then I do get both the CNAME and A record as expected.


So, I feel like Unbound is either stripping something out or filtering it. I did see at one point in the logs that the domain was recognized as a public domain but resolved to an internal address, so it was filtering it out. So I’ve added the following to the Unbound config and that seems to have cleared up those messages, but still not getting all the reocrds:

private-domain: my-consul-domain.consul

Would appreciate any insight ya’ll might have :slight_smile:

Happy to fill in any details that I may have missed.

1 Like

I figured it out! There was some weird conflicting going on because I had the CloudFlare DNS configured after my internal DNS. Once I removed that, things began working as expected.