Using Consul DNS behind OpnSense (Unbound) with PowerDNS

Software & Operating Systems Open Source & Web-Based
,
1

Hey folks!

Currently working on getting myself a home lab setup with HashiCorp’s Consul, Nomad and Vault. Looking to make Consul’s DNS become integrated into my existing network without having to modify all my clients to be aware of things.

My Setup

My network looks a little like this:

  • OpnSense running Unbound
    • Unbound has the following entries for upstream DNS:
      • 192.168.3.2
      • 1.1.1.1

The 192.168.3.2 is an instance with the following running:

  • PowerDNS rescursor - Port 53
  • PowerDNS Authoritative - Port 8053
  • Consul agent with DNS available on port 8600

Why PowerDNS

I’m looking at using PowerDNS because it allows me to control DNS entries with Terraform, which I’ll combine with deploying Nomad jobs to make apps accessible over pretty URLs (ie routes.my-domain. net) inside my home network.

Still Learning

I’m not saying this is what I’ve found to be the best way to do this, I’m sure there are different ways of handling this, I’m open to suggestions so long as managing the DNS records is still possible via Terraform.

My Desired Results

If I run the following:

dig my-service.my-domain.net ANY

This would be calling Unbound

I’d expect to see both a CNAME and an A record. Like so:

;; ANSWER SECTION:
routes.my-domain.net.    303     IN      CNAME   traefik.service.my-domain.consul.
traefik.service.my-domain.consul. 0 IN    A       192.168.x.xxx

CNAME is coming from PowerDNS and the A record is coming from Consul resolving the CNAME.

What’s Currently Happening

When I do:

dig my-service.my-domain.net ANY

I’m only getting the CNAME record.

;; ANSWER SECTION:
routes.my-domain.net.    303     IN      CNAME   traefik.service.my-domain.consul.

However, if I query 192.168.3.2 directly:

dig @192.168.3.2 my-service.my-domain.net ANY

Results:

;; ANSWER SECTION:
routes.my-domain.net.    303     IN      CNAME   traefik.service.my-domain.consul.
traefik.service.my-domain.consul. 0 IN    A       192.168.x.xxx

Then I do get both the CNAME and A record as expected.

Thoughts

So, I feel like Unbound is either stripping something out or filtering it. I did see at one point in the logs that the domain was recognized as a public domain but resolved to an internal address, so it was filtering it out. So I’ve added the following to the Unbound config and that seems to have cleared up those messages, but still not getting all the reocrds:

server:
private-domain: my-consul-domain.consul

Would appreciate any insight ya’ll might have :slight_smile:

Happy to fill in any details that I may have missed.

1 Like
2

I figured it out! There was some weird conflicting going on because I had the CloudFlare DNS configured after my internal DNS. Once I removed that, things began working as expected.

2 Likes