1

I'm having some server in GCP which are using a private DNS server in a private DNS zone (They use consul).

For resolving DNS I'm using the systemd-resolved, and my resolv.conf is a soft link to /run/systemd/resolve/stub-resolv.conf and it's content is:

nameserver 127.0.0.53
options edns0
search c.guardicore-guardicore-mgmt.internal google.internal

So it's mean that all of the DNS requests are forworded to the systemd-resolved daemon. This daemon's configuration is looking like this (The output of systemd-resolve --status)

Global
     DNS Servers: 127.0.0.1 # (consul)
                  169.254.169.254  # (google's DNS)

What is happening is that when my services try to resolve an DNS record, they query the systemd-resolved, which is getting answer by the google's DNS server and then this answer got cached in the systemd-resolve. Google's DNS doesn't know this private DNS, so it's returning NXDOMAIN answer.

There is a way just to bypass google's DNS? I want the requests just to go through the consul.

I've tried to change the content of the resolv.conf file, but it kept being ran over by the GCP agent.

Yuval Pruss
  • 111
  • 1
  • 5

1 Answers1

2

In order to test first. Have you tried to eliminate the caching DNS, this is, comment out the Google DNS servers, that way if the local DNS service doesn't know about the IP/Name, it won't try to look for it outside that scope; also you can check your /etc/resolv.conf to show

user@machine ~#: cat /etc/resolv.conf
order hosts bind

And then you can add things in your hosts file, so it will be checked first (as per resolv.conf settings) and bypass Google's DNS altogether.

user@machine ~#: cat /etc/hosts
127.0.0.1 localhost.localdomain localhost consul consul.local
::1 localhost6.localdomain6 localhost6
192.168.1.100 node0 node0.local
192.168.1.101 node1 node1.local
192.168.1.102 node2 node2.local

Finally if it's completely necessary, you can install BIND and create both zones (consul.local and reverse.local) so you can have a complete authoritative DNS services and have a AUTH response to each of your queries) a good example can be found: here

Please let me know if this is useful to you or if something is missing, just let me know and I'll try to dig deeper in order to give you a better answer :) :)

Regards

-JP
JorgeHPM
  • 41
  • 4