access consul from remote using DNS

Question

i have installed consul on EC2 aws.

i have 3 servers for consul = 11.XX.XX.1,11.XX.XX.2,11.XX.XX.3.

i have 1 client for consul = 11.XX.XX.4

below is configuration file /etc/consul.d/server/config.json

{
    "bootstrap": false,
    "server": true,
    "datacenter": "abc",
    "advertise_addr": "11.XX.XX.1",
    "data_dir": "/var/consul",
    "log_level": "INFO",
    "enable_syslog": true,
    "addresses": {
    "http": "0.0.0.0"
    },
    "start_join": ["11.XX.XX.2", "11.XX.XX.3"]
}

below is netstat output

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:8400          0.0.0.0:*               LISTEN      29720/consul    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1006/sshd       
tcp        0      0 127.0.0.1:8600          0.0.0.0:*               LISTEN      29720/consul    
tcp6       0      0 :::8301                 :::*                    LISTEN      29720/consul    
tcp6       0      0 :::8302                 :::*                    LISTEN      29720/consul    
tcp6       0      0 :::8500                 :::*                    LISTEN      29720/consul    
tcp6       0      0 :::22                   :::*                    LISTEN      1006/sshd       
tcp6       0      0 :::8300                 :::*                    LISTEN      29720/consul 

curl is working fine from remote machine but dig only working on local machine.

; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> @127.0.0.1 -p 8600 web.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40873
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;web.service.consul.        IN  A

;; ANSWER SECTION:
web.service.consul. 0   IN  A   11.XX.XX.4

;; Query time: 0 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Fri Dec 30 08:21:41 UTC 2016
;; MSG SIZE  rcvd: 52

but from remote machine dig not working please help

dig @11.XX.XX.1 -p 8600 web.service.consul

; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> @11.XX.XX.1 -p 8600 web.service.consul
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
-----------------------------

Answer 1

You can try this way:

1. check nameservers on your client machine (for example: cat /etc/resolv.conf - it depends on your machine configuration)

2. change consul servers configuration to:

    {  
        "bootstrap": false,  
        "server": true,  
        "datacenter": "abc",  
        "advertise_addr": "11.XX.XX.1",  
        "data_dir": "/var/consul",  
        "log_level": "INFO",  
        "enable_syslog": true,  
        "addresses": {  
        "http": "0.0.0.0"  
        },  
        "start_join": ["11.XX.XX.2", "11.XX.XX.3"],  
        "recursors": ["xxx.xxx.xxx.xxx", "xxx.xxx.xxx.xxx"],  
        "ports": {  
            "dns": 53  
        }  
    }

where recursors are DNS servers IPs from point 1.

3. reload or restart consul service on all consul servers - now consul is listening on port 53 as dns server

4. change nameservers on your client machine to consul servers IPs. Make sure that youR client machine uses new addresses (you can just restart client machine)

Now on client machine you can use all domain names, including consul's, for example: dig web.service.consul dig google.com

For the same behavior on consul servers you have to change nameservers to consul IPs too.

Answer 2

I'm not a consul specialist, but i understand your are using the TCP port 8600. So could you confirm you have checked that the port 8600 is open in your AWS security rules setup ?

Does only consul failing or any other protocol are failing, ie, ssh.